Xen Advisory Warns Linux `privcmd` Flaw Can Bypass Kernel Lockdown
Xen disclosed XSA-482 for CVE-2026-31788, a flaw in the Linux kernel's privcmd driver that can let an administrator inside an unprivileged Xen guest bypass kernel lockdown protections enforced under secure boot. The bug can be abused to perform actions on the guest kernel that should be blocked in secure mode, including modifying page tables in a way that could allow user mode to alter kernel memory.
The issue affects Xen PV, PVH, and HVM guests running Linux with secure boot enabled. Xen said BSD-based systems are believed unaffected because they do not support secure boot in this context. The vulnerability was discovered by Teddy Astie of Vates, no mitigation is currently known, and remediation requires applying the published Linux patch set; the latest advisory revision notes that the flaw has now been assigned CVE-2026-31788.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
XSA-482 version 3 adds CVE-2026-31788 assignment
A later revision of Xen Security Advisory 482 noted that the vulnerability had been assigned CVE-2026-31788. The update did not change the core impact, which includes possible page-table modification that could enable user-mode modification of kernel memory inside affected Linux guests.
Xen publishes XSA-482 for Linux privcmd kernel lockdown bypass
Xen disclosed Security Advisory XSA-482 for a flaw in the Linux kernel's privcmd driver that can let an administrator in an unprivileged Xen guest bypass secure-boot kernel lockdown protections. The advisory said affected systems include Xen PV, PVH, and HVM guests running Linux with secure boot, with no known mitigation other than applying the provided Linux patches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
oss-sec: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Xen Security Advisory 482 v3 (CVE-2026-31788) - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown
seclists.org
Open sourceoss-sec: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. **CVE-2026-31786** (`XSA-485`) affects Linux kernels **4.13 and later** in Xen domains through unsafe handling of the binary build ID exposed at `/sys/hypervisor/properties/buildid`. The bug uses `sprintf()` on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to **information disclosure, denial of service, or privilege escalation** inside Linux Xen guests. A second advisory, **CVE-2026-31787** (`XSA-487`), describes a **double-free** flaw in the Linux **Xen `privcmd` driver** that allows a **root user in a Linux guest** to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux **PVH or HVM domains** on **x86 and Arm** from kernel **3.8 onward**, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by **Frediano Ziglio of XenServer** and **Atharva Vartak (@0xAth4rv)**, respectively, and Xen urged operators to apply the supplied Linux patches.
Apr 30, 2026
Xen warns AMD Zen 2 opcode cache flaw can enable guest-to-host escalation
Xen disclosed **Xen Security Advisory 490** for `CVE-2025-54518`, an x86 CPU opcode cache corruption flaw affecting Xen deployments on certain AMD processors. The issue is believed to impact **AMD Family 17h CPUs based on the Zen 2 microarchitecture**, and Xen said successful exploitation could let code running at any privilege level gain higher privileges, including **userspace-to-kernel** and **guest-to-host** escalation. The advisory says **all Xen versions** are affected when running on the vulnerable CPUs, while other AMD processors and CPUs from other vendors are not known to be impacted. Xen reported that **no mitigations are available** and directed users to apply released patches for `xen-unstable`, Xen `4.21.x` through `4.18.x`, and Xen `4.17.x`; the `4.17` branch also requires an unusual additional backported patch because the fix is closely coupled with an earlier change.
May 25, 2026
Xen Patches Cross-Guest Data Leak on AMD Zen1 CPUs
Xen disclosed **XSA-488**, a transient execution vulnerability named **Floating Point Divider State Sampling** that affects x86 deployments running on vulnerable **AMD Fam17h (Zen1)** processors. The flaw was identified by researchers from the **CISPA Helmholtz Center for Information Security**, and Xen said an attacker may be able to infer data from other execution contexts, including **other guest VMs**, creating a cross-tenant confidentiality risk for virtualized environments. According to the advisory, **all Xen versions** are affected when deployed on the impacted CPU family. Xen said **no mitigations are currently available**, but released fixes for `xen-unstable` and the supported **4.20/4.19, 4.18, and 4.17** branches, urging operators on affected hardware to apply the relevant patches to reduce exposure.
Apr 30, 2026