The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f04da48123 advisory.

    update to xen 4.19.5

    ----

    Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]     Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f884fd0313 advisory.

    update to xen 4.21.1

    ----

    Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]     Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1092-1 advisory.

    - CVE-2026-23554: xen: Use after free of paging structures in EPT (bsc#1259247, XSA-480)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1093-1 advisory.

    - CVE-2026-23554: xen: Use after free of paging structures in EPT (bsc#1259247, XSA-480)
    - CVE-2026-23555: xen: Xenstored DoS by unprivileged domain (bsc#1259248, XSA-481)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-8ae1a1c3d7 advisory.

    Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]     Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0908-1 advisory.

    - CVE-2026-23554: xen: Use after free of paging structures in EPT (bsc#1259247, XSA-480)
    - CVE-2026-23555: xen: Xenstored DoS by unprivileged domain (bsc#1259248, XSA-481)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m     lock is dropped, so that multiple modifications done under the same locked region only issue a single     flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in     freed pages transiently being present in cached state. Such stale entries can point to memory ranges not     owned by the guest, thus allowing access to unintended memory regions. (CVE-2026-23554)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
304454	Fedora 42 : xen (2026-f04da48123)	Nessus	Fedora Local Security Checks	high
304345	Fedora 44 : xen (2026-f884fd0313)	Nessus	Fedora Local Security Checks	high
304129	SUSE SLES15 Security Update : xen (SUSE-SU-2026:1092-1)	Nessus	SuSE Local Security Checks	high
304123	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2026:1093-1)	Nessus	SuSE Local Security Checks	high
303312	Fedora 43 : xen (2026-8ae1a1c3d7)	Nessus	Fedora Local Security Checks	high
302848	SUSE SLES15 / openSUSE 15 Security Update : xen (SUSE-SU-2026:0908-1)	Nessus	SuSE Local Security Checks	high
302811	Linux Distros Unpatched Vulnerability : CVE-2026-23554	Nessus	Misc.	high

Detections

Analytics

CVE-2026-23554

high

Tenable Plugins

high

high

high

high

high

high

high