ALPINE-CVE-2026-23554

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2026-23554

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23554.json

JSON Data

https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-23554

Upstream

CVE-2026-23554

Published

2026-03-23T07:16:07.200Z

Modified

2026-03-24T09:32:12.156634Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush.

Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

References

https://security.alpinelinux.org/vuln/CVE-2026-23554

Affected packages

Alpine:v3.20 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.18.5-r5

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.3-r0

4.18.3-r1

4.18.3-r2

4.18.4-r0

4.18.4-r1

4.18.5-r0

4.18.5-r1

4.18.5-r2

4.18.5-r3

4.18.5-r4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23554.json"

Alpine:v3.21 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.19.4-r2

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.2-r0

4.19.2-r1

4.19.2-r2

4.19.3-r0

4.19.3-r1

4.19.3-r2

4.19.4-r0

4.19.4-r1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23554.json"

Alpine:v3.22 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.20.2-r2

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.1-r1

4.19.2-r0

4.20.0-r0

4.20.0-r1

4.20.1-r0

4.20.1-r1

4.20.1-r2

4.20.2-r0

4.20.2-r1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23554.json"

Alpine:v3.23 / xen

Package

Name: xen
Purl: pkg:apk/alpine/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.20.2-r2

Affected versions

4.*

4.0.1-r0

4.0.1-r1

4.0.1-r2

4.0.1-r3

4.1.0-r0

4.1.0-r1

4.1.0-r2

4.1.1-r0

4.1.1-r1

4.1.1-r2

4.1.2-r3

4.1.2-r4

4.1.2-r5

4.1.2-r6

4.1.2-r7

4.1.2-r8

4.1.2-r9

4.1.2-r10

4.1.2-r11

4.1.2-r12

4.1.3-r0

4.2.0-r0

4.2.0-r1

4.2.0-r2

4.2.0-r3

4.2.0-r4

4.2.0-r5

4.2.0-r6

4.2.0-r7

4.2.1-r0

4.2.1-r1

4.2.1-r2

4.2.1-r3

4.2.1-r4

4.2.1-r5

4.2.1-r6

4.2.1-r7

4.2.1-r8

4.2.1-r9

4.2.1-r10

4.2.1-r11

4.2.2-r0

4.2.2-r2

4.2.2-r3

4.2.2-r4

4.2.2-r5

4.2.2-r6

4.2.2-r7

4.2.2-r8

4.2.2-r9

4.2.2-r10

4.2.2-r11

4.3.0-r0

4.3.0-r1

4.3.0-r2

4.3.0-r3

4.3.0-r4

4.3.0-r5

4.3.0-r6

4.3.0-r7

4.3.0-r8

4.3.1-r0

4.3.1-r1

4.3.1-r2

4.3.1-r3

4.3.2-r0

4.3.2-r1

4.3.2-r2

4.3.2-r3

4.3.2-r4

4.3.3-r0

4.4.1-r0

4.4.1-r1

4.4.1-r2

4.4.1-r3

4.4.1-r4

4.4.1-r5

4.4.1-r6

4.4.1-r7

4.4.1-r8

4.4.2-r0

4.4.2-r1

4.5.0-r0

4.5.0-r1

4.5.1-r0

4.5.1-r1

4.5.1-r2

4.5.1-r3

4.6.0-r0

4.6.0-r1

4.6.0-r2

4.6.0-r3

4.6.0-r4

4.6.0-r5

4.6.1-r0

4.6.1-r1

4.6.1-r2

4.6.3-r0

4.6.3-r1

4.7.0-r0

4.7.0-r1

4.7.0-r2

4.7.0-r3

4.7.0-r4

4.7.0-r5

4.7.1-r0

4.7.1-r1

4.7.1-r2

4.7.1-r3

4.7.1-r4

4.7.1-r5

4.7.2-r0

4.8.1-r0

4.8.1-r1

4.8.1-r2

4.8.1-r3

4.8.1-r4

4.9.0-r0

4.9.0-r1

4.9.0-r2

4.9.0-r3

4.9.0-r4

4.9.0-r5

4.9.0-r6

4.9.0-r7

4.9.0-r8

4.9.1-r0

4.9.1-r1

4.9.1-r2

4.9.1-r3

4.10.0-r0

4.10.0-r1

4.10.0-r2

4.10.0-r3

4.10.1-r0

4.10.1-r1

4.10.1-r2

4.11.0-r0

4.11.0-r1

4.11.1-r0

4.11.1-r1

4.12.0-r0

4.12.0-r1

4.12.0-r2

4.12.0-r3

4.12.1-r0

4.12.1-r1

4.12.1-r2

4.13.0-r0

4.13.0-r1

4.13.0-r2

4.13.0-r3

4.13.0-r4

4.13.1-r0

4.13.1-r1

4.13.1-r2

4.13.1-r3

4.13.1-r4

4.13.1-r5

4.14.0-r0

4.14.0-r1

4.14.0-r2

4.14.0-r3

4.14.1-r0

4.14.1-r1

4.14.1-r2

4.14.1-r3

4.14.1-r4

4.14.1-r5

4.15.0-r0

4.15.0-r1

4.15.0-r2

4.15.0-r3

4.15.0-r4

4.15.0-r5

4.15.1-r0

4.15.1-r1

4.15.1-r2

4.15.1-r3

4.16.0-r0

4.16.0-r1

4.16.1-r0

4.16.1-r1

4.16.1-r2

4.16.1-r3

4.16.1-r4

4.16.1-r5

4.16.1-r6

4.16.1-r7

4.16.2-r0

4.16.2-r1

4.16.2-r2

4.16.2-r3

4.17.0-r0

4.17.0-r1

4.17.0-r2

4.17.0-r3

4.17.0-r4

4.17.0-r5

4.17.1-r0

4.17.1-r1

4.17.1-r2

4.17.1-r3

4.17.1-r4

4.17.1-r5

4.17.2-r0

4.17.2-r1

4.17.2-r2

4.17.2-r3

4.17.2-r4

4.18.0-r0

4.18.0-r1

4.18.0-r2

4.18.0-r3

4.18.0-r4

4.18.0-r5

4.18.2-r0

4.18.2-r1

4.18.2-r2

4.19.0-r0

4.19.0-r1

4.19.1-r0

4.19.1-r1

4.19.2-r0

4.20.0-r0

4.20.0-r1

4.20.0-r2

4.20.1-r0

4.20.1-r1

4.20.1-r2

4.20.2-r0

4.20.2-r1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-23554.json"