CVE-2026-23554

High

Published: 23 March 2026

Published

23 March 2026

Modified

10 April 2026

KEV Added

—

Patch

17 March 2026

CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0001 2.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23554 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Xen Xen. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Escape to Host (T1611). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the TOCTOU race condition in Xen EPT paging code by applying patches from Xen Security Advisory 480.

SI-16 Memory Protection good match

prevent

Implements controls minimizing unauthorized access to persistent and non-persistent memory regions, countering stale cached EPT entries exposing host memory to guests.

SC-39 Process Isolation partial match

prevent

Enforces process and memory isolation between guests and host, mitigating unintended access via transiently cached paging structures.

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation

Adversaries may break out of a container or virtualized environment to gain access to the underlying host.

attack.mitre.org →

Why these techniques?

Xen EPT TOCTOU race directly enables guest-to-host memory escape (T1611).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging…

structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

Deeper analysisAI

CVE-2026-23554 affects the Intel EPT (Extended Page Tables) paging code in the Xen hypervisor. The vulnerability stems from an optimization that defers flushing of cached EPT state until the p2m lock is dropped, allowing multiple modifications under the same locked region to trigger only a single flush. However, freeing of paging structures is not deferred until after flushing, which can leave freed pages transiently present in cached state. These stale entries may point to memory ranges not owned by the guest, enabling access to unintended memory regions. The issue is classified under CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) with a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) on a guest virtual machine can exploit this vulnerability under high attack complexity (AC:H) with no user interaction required. Successful exploitation allows access to host memory regions outside the guest's ownership, potentially compromising confidentiality, integrity, and availability at a high level due to the changed scope (S:C) from guest to host context.

Xen Security Advisory 480 (XSA-480) documents the vulnerability, with details available at https://xenbits.xenproject.org/xsa/advisory-480.html and http://xenbits.xen.org/xsa/advisory-480.html. Additional discussion appears in the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/17/6. Practitioners should consult these advisories for patch information and mitigation guidance.