Lucene search
K

Xen: domctl Lock Open to Abuse (XSA-492)

🗓️ 12 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 9 Views

Xen domctl lock flaws enable abuse and DoS via early permission checks (XSA four ninety two, vulnerability 2026 42489, vulnerability 2026 42490).

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-42489
18 Jun 202613:47
attackerkb
ATTACKERKB
CVE-2026-42490
18 Jun 202613:47
attackerkb
Circl
CVE-2026-42489
9 Jun 202613:32
circl
Circl
CVE-2026-42490
9 Jun 202613:32
circl
CVE
CVE-2026-42489
18 Jun 202613:47
cve
CVE
CVE-2026-42490
18 Jun 202613:47
cve
Cvelist
CVE-2026-42489 domctl lock open to abuse
18 Jun 202613:47
cvelist
Cvelist
CVE-2026-42490 domctl lock open to abuse
18 Jun 202613:47
cvelist
Debian CVE
CVE-2026-42489
18 Jun 202613:47
debiancve
Debian CVE
CVE-2026-42490
18 Jun 202613:47
debiancve
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320869);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/22");

  script_cve_id("CVE-2026-42489", "CVE-2026-42490");
  script_xref(name:"IAVB", value:"2026-B-0069");
  script_xref(name:"IAVB", value:"2026-B-0151");

  script_name(english:"Xen: domctl Lock Open to Abuse (XSA-492)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
  script_set_attribute(attribute:"description", value:
"To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a
domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock
is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore,
with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is
CVE-2026-42490. A less privileged entity may stall an equally or more privileged entity, potentially leading to a
Denial of Service (DoS) of up to the entire host.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xenproject.org/xsa/advisory-492.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42489");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-42490");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/12");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("xen_server_detect.nbin");
  script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var fixes;
var app = 'Xen Hypervisor';
var app_info = vcf::xen_hypervisor::get_app_info(app:app);
if (report_paranoia < 2) audit(AUDIT_PARANOID);

fixes['4.17']['fixed_ver']           = '4.17.6';
fixes['4.17']['fixed_ver_display']   = '4.17.6 (changeset 2721263)';
fixes['4.17']['affected_ver_regex']  = "^4\.17\.";
fixes['4.17']['affected_changesets'] = make_list("0818baa", "9609fec",
  "4aa3ccc", "ffc0d27", "53cd1f0", "a0119e1", "6789ab9", "d6d9f96",
  "43013fe", "e4a65bd", "95bfcd4", "0a51498", "eb8153a", "037e662",
  "fc4b442", "b08478b", "c5915a5", "4c11789", "caf651f", "550d632",
  "7dedada", "7985e87", "db0c7c9", "57d0c0c", "2319a85", "ca4c5d8",
  "36e6dcb", "a2bca55", "87567b0", "8f29c76", "8c80ec8");

fixes['4.18']['fixed_ver']           = '4.18.5';
fixes['4.18']['fixed_ver_display']   = '4.18.5 (changeset 28cef29)';
fixes['4.18']['affected_ver_regex']  = "^4\.18\.";
fixes['4.18']['affected_changesets'] = make_list("2c48c89", "4594a6b",
  "3574299", "c5501d5", "8fe1695", "9abd848", "45d368d", "c76ed41",
  "1f1cafe", "53ff970", "86dd2e3", "2fc05f3", "bc1a888", "12659bf",
  "f91eab5", "64327f3", "3786cf1", "b471a84", "4ef23e6", "3f4d62d",
  "581a10f", "dd781ac", "7f9ded3", "fcac058", "9f070ec", "4c88676",
  "2c5f7fd", "8b8c324", "ec8251e", "d477525", "f196c2f", "502d206",
  "343379c", "d15515f", "f6b0a04", "4112b5c", "8746612", "f0fcf69",
  "d04a36f", "a52a373", "832ecbf", "9143406", "1ac5088", "c90cec6",
  "46c0b23", "2102093", "de89b16", "aba830f", "5119086", "25a125c",
  "13d3020", "d8cab42", "41b62f8", "82c302a", "b6266b2", "cd46db2",
  "9c0becc", "9548f45", "2ec55f6", "df49dab", "709a223", "8b348e9",
  "60820cd", "dcc9c3a", "43c513c", "8fc76b1", "e9d112e", "460ece3",
  "438bb12", "0b8f769");

fixes['4.19']['fixed_ver']           = '4.19.5';
fixes['4.19']['fixed_ver_display']   = '4.19.5 (changeset 17bce44)';
fixes['4.19']['affected_ver_regex']  = "^4\.19\.";
fixes['4.19']['affected_changesets'] = make_list("923d698", "4618e73",
  "7fcb12d", "c581c40", "5c86d12", "fc86e21", "2ff10f2", "3ca879f",
  "d5f0523", "2ba1d54", "c49dc94", "a5b7170", "08afe7a", "3c45f67",
  "f615fc1", "8f449eb", "27e32cc", "0ac3924", "792e70b", "e1eae71",
  "8056c40", "7bcc106", "308be67", "7497e64", "60a2c34", "7a15cde");

fixes['4.20']['fixed_ver']           = '4.20.4';
fixes['4.20']['fixed_ver_display']   = '4.20.4-pre (changeset 4fab100)';
fixes['4.20']['affected_ver_regex']  = "^4\.20\.";
fixes['4.20']['affected_changesets'] = make_list("324d0ee", "c720b15",
  "5f17064", "13865d7", "b8193cc", "c51d9a3", "d1ffc53", "1a7b04a",
  "4e53d41", "f7ec26e", "e701842", "724f4f4", "2a50079", "aa133b1",
  "c1c16ad", "634145d", "1927a7e", "493a937", "24ccd83", "6cf9b61",
  "2abb8d0", "33a6d8a", "806c814", "ccac195", "ae41936", "0bd3ff8",
  "04747ce", "8f981ab", "152183d", "4563f9c", "a99d160", "d006fa1",
  "869ef9b", "937d1c7", "3ed365e", "51e0905", "cf3a174", "54ba668",
  "207e11f", "5f70542", "ad5d955", "57db4b6", "ef5c706", "be6b618",
  "d5c70a5", "c6d16eb", "92d668b", "1f067a8", "1648908", "491f661",
  "928144f", "eb2c288", "05b8f71", "140d981", "0359ff3", "c2cb923",
  "c1a7c61", "ce40b0b", "36366ff", "f1826fa", "b96452c", "5568870");

fixes['4.21']['fixed_ver']           = '4.21.2';
fixes['4.21']['fixed_ver_display']   = '4.21.2-pre (changeset fcccf99)';
fixes['4.21']['affected_ver_regex']  = "^4\.21\.";
fixes['4.21']['affected_changesets'] = make_list("1ea57a5", "e3b16b8",
  "82887f1", "b48039e", "83f6441", "619b70f", "f1bbc00", "3941b2c",
  "7073cc4", "15f385c", "d08d614", "a0e384c", "b9aebf7", "ab63ab5",
  "06ca3be", "7dff06d", "e772f8d", "1874bf7", "8d2ffa5", "4ac1fc0",
  "1b251cc", "4989714", "9a0327b", "647e362", "04db4dc", "4d6e6ed",
  "3928945", "02bcb4e", "16e9e62", "ed13b64", "3db23df", "7372aca",
  "fd2ccd7", "3dccad5", "1ae7e08", "9358a20", "a8e8541", "13ca96c",
  "00496ab", "032d39f", "8af05b4", "0d8b25d", "43e32ae", "f732e91",
  "17a7843", "54db249", "27748a7", "2d1a11a", "76b359a", "9c79644",
  "6b8be12", "b2352be", "8f3dcdc", "afb919f", "f35f0ac", "c9ba169",
  "feb9949", "e2981e0", "761aba9", "a011ca9", "8482a1c", "b3c4a20",
  "aaa03d4", "646bcc1", "d174a86", "fa82d4f");

vcf::xen_hypervisor::check_version_and_report(app_info:app_info, fixes:fixes, severity:SECURITY_WARNING);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation