ALPINE-CVE-2026-23553

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2026-23553

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23553.json

JSON Data

https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-23553

Upstream

CVE-2026-23553

Published

2026-01-28T16:16:16.853Z

Modified

2026-01-29T11:18:29.057696Z

Severity

2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider:

1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again.

Now, task 2 is running on CPU A with task 1's training still in the BTB.

References

https://security.alpinelinux.org/vuln/CVE-2026-23553

Affected packages

Alpine:v3.20 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.18.5-r4

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.3-r0

4.18.3-r1

4.18.3-r2

4.18.4-r0

4.18.4-r1

4.18.5-r0

4.18.5-r1

4.18.5-r2

4.18.5-r3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23553.json"

Alpine:v3.21 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.19.4-r1

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.2-r0

4.19.2-r1

4.19.2-r2

4.19.3-r0

4.19.3-r1

4.19.3-r2

4.19.4-r0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23553.json"

Alpine:v3.22 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.20.2-r1

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.1-r1

4.19.2-r0

4.20.0-r0

4.20.0-r1

4.20.1-r0

4.20.1-r1

4.20.1-r2

4.20.2-r0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23553.json"

Alpine:v3.23 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.20.2-r1

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.1-r1

4.19.2-r0

4.20.0-r0

4.20.0-r1

4.20.0-r2

4.20.1-r0

4.20.1-r1

4.20.1-r2

4.20.2-r0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23553.json"