CVE-2026-42490
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
CVE-2026-42490 vulnerability relates to the way the system acquires a lock for guest management operations in a Xen environment. When using XSM/Flask, the lock acquisition may occur before permission checks, creating a risk of unauthorized access.
Risk Assessment
The lack of proper permission checks before acquiring the lock may lead to unauthorized access to system resources, jeopardizing the integrity and security of data within the organization.
Recommendation
It is recommended to review and modify the lock acquisition mechanism to ensure that permission checks are performed before granting the lock. Additionally, systems should be monitored and updated to eliminate this vulnerability.
Original NVD description (English source)
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

