CVE-2026-31788
xen/privcmd: restrict usage in unprivileged domU
Description
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich)
INFO
Published Date :
March 25, 2026, 11:16 a.m.
Last Modified :
March 25, 2026, 12:16 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products
The following products are affected by CVE-2026-31788
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Restrict Xen privcmd driver to target domain.
- Obtain target domain from Xenstore.
- Defer Xenstore reads if not ready.
- Wait in open() if target domain unknown.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-31788.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-31788 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-31788
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-31788 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-31788 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Mar. 25, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/03/24/2 Added Reference http://www.openwall.com/lists/oss-security/2026/03/24/3 Added Reference http://www.openwall.com/lists/oss-security/2026/03/24/4 Added Reference http://www.openwall.com/lists/oss-security/2026/03/24/5 Added Reference http://xenbits.xen.org/xsa/advisory-482.html -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Mar. 25, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich) Added Reference https://git.kernel.org/stable/c/1879319d790f7d57622cdc22807b60ea78b56b6d Added Reference https://git.kernel.org/stable/c/389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4 Added Reference https://git.kernel.org/stable/c/78432d8f0372c71c518096395537fa12be7ff24e Added Reference https://git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28 Added Reference https://git.kernel.org/stable/c/cbede2e833da1893afbea9b3ff29b5dda23a4a91