{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23553","assignerOrgId":"23aa2041-22e1-471f-9209-9b7396fa234f","state":"PUBLISHED","assignerShortName":"XEN","dateReserved":"2026-01-14T13:07:36.961Z","datePublished":"2026-01-28T15:33:44.782Z","dateUpdated":"2026-01-28T16:41:14.803Z"},"containers":{"cna":{"title":"x86: incomplete IBPB for vCPU isolation","datePublic":"2026-01-27T12:00:00.000Z","descriptions":[{"lang":"en","value":"In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen's isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks.  Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1's training still in the BTB."}],"impacts":[{"descriptions":[{"lang":"en","value":"Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."}]}],"affected":[{"defaultStatus":"unknown","product":"Xen","vendor":"Xen","versions":[{"status":"unknown","version":"consult Xen advisory XSA-479"}]}],"configurations":[{"lang":"en","value":"Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO.  This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."}],"workarounds":[{"lang":"en","value":"Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."}],"credits":[{"lang":"en","type":"finder","value":"This issue was discovered by David Kaplan of AMD."}],"references":[{"url":"https://xenbits.xenproject.org/xsa/advisory-479.html"}],"providerMetadata":{"orgId":"23aa2041-22e1-471f-9209-9b7396fa234f","shortName":"XEN","dateUpdated":"2026-01-28T15:33:44.782Z"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/01/27/3"},{"url":"http://xenbits.xen.org/xsa/advisory-479.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-01-28T16:12:31.841Z"}},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-665","lang":"en","description":"CWE-665 Improper Initialization"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-693","lang":"en","description":"CWE-693 Protection Mechanism Failure"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":2.9,"attackVector":"LOCAL","baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-01-28T16:40:38.385640Z","id":"CVE-2026-23553","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-28T16:41:14.803Z"}}]}}