CVE-2026-42489

MEDIUM

domctl lock open to abuse

Title source: cna
STIX 2.1

Description

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

References (1)

Core 1

Scores

CVSS v3 5.3
EPSS 0.0008
EPSS Percentile 0.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-667
Status published
Products (1)
Xen/Xen consult Xen advisory XSA-492
Published Jun 18, 2026
Tracked Since Jun 18, 2026