CVE-2026-42488 PUBLISHED

x86: mismatched mapcache metadata

Assigner: XEN
Reserved: 27.04.2026 Published: 18.06.2026 Updated: 18.06.2026

Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache.

Product Status

Vendor	Xen
Product	Xen
Versions	Default: unknown Version consult Xen advisory XSA-494 is unknown

Affected Configurations

Xen 4.15 and onwards are vulnerable. Any Xen version with the fix for XSA-438 applied is vulnerable.

Only x86 systems are vulnerable. Only 64-bit PV guests can leverage the vulnerability, and only when running in shadow mode. Shadow mode would be in use when migrating guests or as a workaround for XSA-273 (L1TF).

Workarounds

Running only HVM or PVH guests will avoid the vulnerability.

Running PV guests in the PV shim will also avoid the vulnerability.

Credits

This issue was discovered by Roger Pau Monné of XenServer. finder

References

https://xenbits.xenproject.org/xsa/advisory-494.html

Impacts

Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks.