CVE-2026-42489 PUBLISHED

domctl lock open to abuse

Assigner: XEN
Reserved: 27.04.2026 Published: 18.06.2026 Updated: 18.06.2026

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]

To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489.

Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

Product Status

Vendor	Xen
Product	Xen
Versions	Default: unknown Version consult Xen advisory XSA-492 is unknown

Affected Configurations

All Xen versions from 3.3 onwards are vulnerable. Earlier versions use a different locking operation, but may also be vulnerable.

Workarounds

There is no known mitigation.

Credits

This issue was discovered by Andrew Cooper of Citrix. finder

References

https://xenbits.xenproject.org/xsa/advisory-492.html

Impacts

A less privileged entity may stall an equally or more privileged entity, potentially leading to a Denial od Service (DoS) of up to the entire host.