Xen: x86 Mismatched Mapcache Metadata (XSA-494)

🗓️ 12 Jun 2026 00:00:00Reported by TenableType

Xen x86 mismatched mapcache metadata can cause privilege escalation, DoS, and leaks; apply patch.

Reporter	Title	Published	Views	Family All 18
Circl	CVE-2026-42488	9 Jun 202613:47	–	circl
CVE	CVE-2026-42488	9 Jun 202612:00	–	cve
Debian CVE	CVE-2026-42488	9 Jun 202612:00	–	debiancve
OSV	DEBIAN-CVE-2026-42488	9 Jun 202614:48	–	osv
OSV	SUSE-SU-2026:2328-1 Security update for xen	10 Jun 202607:39	–	osv
OSV	SUSE-SU-2026:2329-1 Security update for xen	10 Jun 202607:39	–	osv
OSV	SUSE-SU-2026:2364-1 Security update for xen	11 Jun 202606:54	–	osv
OSV	UBUNTU-CVE-2026-42488	9 Jun 202600:00	–	osv
Positive Technologies	PT-2026-48241	9 Jun 202600:00	–	ptsecurity
Positive Technologies	PT-2026-48242	9 Jun 202600:00	–	ptsecurity

Source	Link
xenbits	www.xenbits.xenproject.org/xsa/advisory-494.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320867);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/12");

  script_cve_id("CVE-2026-42488");
  script_xref(name:"IAVB", value:"2026-B-0069");

  script_name(english:"Xen: x86 Mismatched Mapcache Metadata (XSA-494)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
  script_set_attribute(attribute:"description", value:
"Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference.
This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the
mapcache. This can result in privilege escalation, Denial of Service (DoS) affecting the entire host, and information
leaks.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xenproject.org/xsa/advisory-494.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42488");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/12");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("xen_server_detect.nbin");
  script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var fixes;
var app = 'Xen Hypervisor';
var app_info = vcf::xen_hypervisor::get_app_info(app:app);
if (report_paranoia < 2) audit(AUDIT_PARANOID);

fixes['4.17']['fixed_ver']           = '4.17.6';
fixes['4.17']['fixed_ver_display']   = '4.17.6 (changeset 5dfbc0b)';
fixes['4.17']['affected_ver_regex']  = "^4\.17\.";
fixes['4.17']['affected_changesets'] = make_list("9e60576", "a0371b3",
  "c76e892", "33937ea", "16f1d36", "333c263", "08157db", "95b9e5a",
  "4ba0e07", "2721263", "0818baa", "9609fec", "4aa3ccc", "ffc0d27",
  "53cd1f0", "a0119e1", "6789ab9", "d6d9f96", "43013fe", "e4a65bd",
  "95bfcd4", "0a51498", "eb8153a", "037e662", "fc4b442", "b08478b",
  "c5915a5", "4c11789", "caf651f", "550d632", "7dedada", "7985e87",
  "db0c7c9", "57d0c0c", "2319a85", "ca4c5d8", "36e6dcb", "a2bca55",
  "87567b0", "8f29c76", "8c80ec8");

fixes['4.18']['fixed_ver']           = '4.18.5';
fixes['4.18']['fixed_ver_display']   = '4.18.5 (changeset 07f3beb)';
fixes['4.18']['affected_ver_regex']  = "^4\.18\.";
fixes['4.18']['affected_changesets'] = make_list("bb9856e", "57b2611",
  "1c2e5eb", "49659a2", "9fe3534", "28cef29", "2c48c89", "4594a6b",
  "3574299", "c5501d5", "8fe1695", "9abd848", "45d368d", "c76ed41",
  "1f1cafe", "53ff970", "86dd2e3", "2fc05f3", "bc1a888", "12659bf",
  "f91eab5", "64327f3", "3786cf1", "b471a84", "4ef23e6", "3f4d62d",
  "581a10f", "dd781ac", "7f9ded3", "fcac058", "9f070ec", "4c88676",
  "2c5f7fd", "8b8c324", "ec8251e", "d477525", "f196c2f", "502d206",
  "343379c", "d15515f", "f6b0a04", "4112b5c", "8746612", "f0fcf69",
  "d04a36f", "a52a373", "832ecbf", "9143406", "1ac5088", "c90cec6",
  "46c0b23", "2102093", "de89b16", "aba830f", "5119086", "25a125c",
  "13d3020", "d8cab42", "41b62f8", "82c302a", "b6266b2", "cd46db2",
  "9c0becc", "9548f45", "2ec55f6", "df49dab", "709a223", "8b348e9",
  "60820cd", "dcc9c3a", "43c513c", "8fc76b1", "e9d112e", "460ece3",
  "438bb12", "0b8f769");

fixes['4.19']['fixed_ver']           = '4.19.5';
fixes['4.19']['fixed_ver_display']   = '4.19.5 (changeset 376de64)';
fixes['4.19']['affected_ver_regex']  = "^4\.19\.";
fixes['4.19']['affected_changesets'] = make_list("a9c8547", "52b28b0",
  "618173c", "1ea95e2", "54bb4e9", "17bce44", "923d698", "4618e73",
  "7fcb12d", "c581c40", "5c86d12", "fc86e21", "2ff10f2", "3ca879f",
  "d5f0523", "2ba1d54", "c49dc94", "a5b7170", "08afe7a", "3c45f67",
  "f615fc1", "8f449eb", "27e32cc", "0ac3924", "792e70b", "e1eae71",
  "8056c40", "7bcc106", "308be67", "7497e64", "60a2c34", "7a15cde");

fixes['4.20']['fixed_ver']           = '4.20.4';
fixes['4.20']['fixed_ver_display']   = '4.20.4-pre (changeset 2653b35)';
fixes['4.20']['affected_ver_regex']  = "^4\.20\.";
fixes['4.20']['affected_changesets'] = make_list("08ea7c4", "d84ac74",
  "ff6ee97", "c8fbbdc", "c411e33", "4fab100", "324d0ee", "c720b15",
  "5f17064", "13865d7", "b8193cc", "c51d9a3", "d1ffc53", "1a7b04a",
  "4e53d41", "f7ec26e", "e701842", "724f4f4", "2a50079", "aa133b1",
  "c1c16ad", "634145d", "1927a7e", "493a937", "24ccd83", "6cf9b61",
  "2abb8d0", "33a6d8a", "806c814", "ccac195", "ae41936", "0bd3ff8",
  "04747ce", "8f981ab", "152183d", "4563f9c", "a99d160", "d006fa1",
  "869ef9b", "937d1c7", "3ed365e", "51e0905", "cf3a174", "54ba668",
  "207e11f", "5f70542", "ad5d955", "57db4b6", "ef5c706", "be6b618",
  "d5c70a5", "c6d16eb", "92d668b", "1f067a8", "1648908", "491f661",
  "928144f", "eb2c288", "05b8f71", "140d981", "0359ff3", "c2cb923",
  "c1a7c61", "ce40b0b", "36366ff", "f1826fa", "b96452c", "5568870");

fixes['4.21']['fixed_ver']           = '4.21.2';
fixes['4.21']['fixed_ver_display']   = '4.21.2-pre (changeset 3bdb2a4)';
fixes['4.21']['affected_ver_regex']  = "^4\.21\.";
fixes['4.21']['affected_changesets'] = make_list("9298834", "781ee51",
  "984c082", "8851d2e", "bec5efc", "fcccf99", "1ea57a5", "e3b16b8",
  "82887f1", "b48039e", "83f6441", "619b70f", "f1bbc00", "3941b2c",
  "7073cc4", "15f385c", "d08d614", "a0e384c", "b9aebf7", "ab63ab5",
  "06ca3be", "7dff06d", "e772f8d", "1874bf7", "8d2ffa5", "4ac1fc0",
  "1b251cc", "4989714", "9a0327b", "647e362", "04db4dc", "4d6e6ed",
  "3928945", "02bcb4e", "16e9e62", "ed13b64", "3db23df", "7372aca",
  "fd2ccd7", "3dccad5", "1ae7e08", "9358a20", "a8e8541", "13ca96c",
  "00496ab", "032d39f", "8af05b4", "0d8b25d", "43e32ae", "f732e91",
  "17a7843", "54db249", "27748a7", "2d1a11a", "76b359a", "9c79644",
  "6b8be12", "b2352be", "8f3dcdc", "afb919f", "f35f0ac", "c9ba169",
  "feb9949", "e2981e0", "761aba9", "a011ca9", "8482a1c", "b3c4a20",
  "aaa03d4", "646bcc1", "d174a86", "fa82d4f");

vcf::xen_hypervisor::check_version_and_report(app_info:app_info, fixes:fixes, severity:SECURITY_WARNING);

12 Jun 2026 00:00Current

5.5Medium risk

Vulners AI Score5.5