EIP-2026-103038

PRE-CVE

Xen 64bit PV Guest - pagetable use-after-type-change Breakout

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103038. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a race condition in Xen's handling of pagetable updates via multicall hypercalls, allowing a 64-bit PV guest kernel to corrupt top-level pagetables. The PoC demonstrates arbitrary hypervisor memory manipulation, leading to a triple fault or shellcode execution in the hypervisor context.

Description

Xen 64bit PV Guest - pagetable use-after-type-change Breakout

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocallinux

https://www.exploit-db.com/exploits/41973

View Code ZIP pw:eip

This exploit leverages a race condition in Xen's handling of pagetable updates via multicall hypercalls, allowing a 64-bit PV guest kernel to corrupt top-level pagetables. The PoC demonstrates arbitrary hypervisor memory manipulation, leading to a triple fault or shellcode execution in the hypervisor context.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Xen 4.6.x (specifically tested on 4.6.0 and 4.6.4)

Auth required

Prerequisites: Root access in a 64-bit PV guest · Xen hypervisor with vulnerable version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026