CVE Catalog

CVE-2026-42490

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

CVE-2026-42490 vulnerability relates to the way the system acquires a lock for guest management operations in a Xen environment. When using XSM/Flask, the lock acquisition may occur before permission checks, creating a risk of unauthorized access.

Risk Assessment

The lack of proper permission checks before acquiring the lock may lead to unauthorized access to system resources, jeopardizing the integrity and security of data within the organization.

Recommendation

It is recommended to review and modify the lock acquisition mechanism to ensure that permission checks are performed before granting the lock. Additionally, systems should be monitored and updated to eliminate this vulnerability.

Original NVD description (English source)

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS