CVE-2026-42489
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk0th percentile — higher than 0% of all known CVEs
Summary
CVE-2026-42489 concerns the lack of fairness in the way system-wide locks are acquired during domctl operations, which may lead to issues with parallel execution of these operations.
Risk Assessment
The lack of fairness in lock acquisition can lead to bottlenecks in the system, affecting the performance and stability of the virtual environment.
Recommendation
It is recommended to review and modify the lock acquisition mechanism to ensure fair resource allocation for domctl operations.
Original NVD description (English source)
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

