Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. CVE-2026-31786 (XSA-485) affects Linux kernels 4.13 and later in Xen domains through unsafe handling of the binary build ID exposed at /sys/hypervisor/properties/buildid. The bug uses sprintf() on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to information disclosure, denial of service, or privilege escalation inside Linux Xen guests.
A second advisory, CVE-2026-31787 (XSA-487), describes a double-free flaw in the Linux Xen privcmd driver that allows a root user in a Linux guest to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux PVH or HVM domains on x86 and Arm from kernel 3.8 onward, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by Frediano Ziglio of XenServer and Atharva Vartak (@0xAth4rv), respectively, and Xen urged operators to apply the supplied Linux patches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Xen publicly releases XSA-487 v2 for CVE-2026-31787
On 2026-04-28, Xen publicly disclosed XSA-487 version 2 covering CVE-2026-31787, a double-free vulnerability in the Linux Xen privcmd driver. Xen said Linux PVH or HVM domains on x86 or Arm from kernel 3.8 onward were affected, no mitigation was available, and remediation required applying the provided Linux patch.
Xen publicly releases XSA-485 v2 for CVE-2026-31786
On 2026-04-28, Xen publicly disclosed XSA-485 version 2 covering CVE-2026-31786, a Linux kernel bug in handling the binary build ID exposed via /sys/hypervisor/properties/buildid. Xen said Linux domains running kernel 4.13 or later were affected, no mitigation was known, and users should apply the provided Linux patch.
Researchers discover two Xen-related Linux kernel flaws
Frediano Ziglio of XenServer discovered an out-of-bounds read flaw later assigned CVE-2026-31786, and Atharva Vartak discovered a double-free flaw in the Xen privcmd driver later assigned CVE-2026-31787. Both issues affected Linux guests in Xen environments and ultimately required kernel patches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
XSA-485 - Xen Security Advisories
xenbits.xen.org
Open sourceoss-sec: Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file
seclists.org
Open sourceoss-sec: Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Xen Advisory Warns Linux `privcmd` Flaw Can Bypass Kernel Lockdown
Xen disclosed **XSA-482** for **CVE-2026-31788**, a flaw in the Linux kernel's `privcmd` driver that can let an administrator inside an unprivileged Xen guest bypass kernel lockdown protections enforced under secure boot. The bug can be abused to perform actions on the guest kernel that should be blocked in secure mode, including modifying page tables in a way that could allow user mode to alter kernel memory. The issue affects Xen **PV, PVH, and HVM** guests running Linux with secure boot enabled. Xen said BSD-based systems are believed unaffected because they do not support secure boot in this context. The vulnerability was discovered by **Teddy Astie of Vates**, no mitigation is currently known, and remediation requires applying the published Linux patch set; the latest advisory revision notes that the flaw has now been assigned **`CVE-2026-31788`**.
Mar 27, 2026
Xen warns AMD Zen 2 opcode cache flaw can enable guest-to-host escalation
Xen disclosed **Xen Security Advisory 490** for `CVE-2025-54518`, an x86 CPU opcode cache corruption flaw affecting Xen deployments on certain AMD processors. The issue is believed to impact **AMD Family 17h CPUs based on the Zen 2 microarchitecture**, and Xen said successful exploitation could let code running at any privilege level gain higher privileges, including **userspace-to-kernel** and **guest-to-host** escalation. The advisory says **all Xen versions** are affected when running on the vulnerable CPUs, while other AMD processors and CPUs from other vendors are not known to be impacted. Xen reported that **no mitigations are available** and directed users to apply released patches for `xen-unstable`, Xen `4.21.x` through `4.18.x`, and Xen `4.17.x`; the `4.17` branch also requires an unusual additional backported patch because the fix is closely coupled with an earlier change.
May 25, 2026
Xen Patches Cross-Guest Data Leak on AMD Zen1 CPUs
Xen disclosed **XSA-488**, a transient execution vulnerability named **Floating Point Divider State Sampling** that affects x86 deployments running on vulnerable **AMD Fam17h (Zen1)** processors. The flaw was identified by researchers from the **CISPA Helmholtz Center for Information Security**, and Xen said an attacker may be able to infer data from other execution contexts, including **other guest VMs**, creating a cross-tenant confidentiality risk for virtualized environments. According to the advisory, **all Xen versions** are affected when deployed on the impacted CPU family. Xen said **no mitigations are currently available**, but released fixes for `xen-unstable` and the supported **4.20/4.19, 4.18, and 4.17** branches, urging operators on affected hardware to apply the relevant patches to reduce exposure.
Apr 30, 2026