Alpine: multiple xen packages: security update to 4.19.4-r2

high Tenable Cloud Security Plugin ID 438881

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m
lock is dropped, so that multiple modifications done under the same locked region only issue a single
flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in
freed pages transiently being present in cached state. Such stale entries can point to memory ranges not
owned by the guest, thus allowing access to unintended memory regions. (CVE-2026-23554)

- Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will
crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that
the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with
NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it
no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored
will use up all cpu time it can get. (CVE-2026-23555)

Solution

Update the xen library and its related packages to version 4.19.4-r2 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-23554

https://security.alpinelinux.org/vuln/CVE-2026-23555

Plugin Details

Severity: High

ID: 438881

Version: Revision 1.11

Type: Local

Published: 3/17/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.33

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-23555

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2026-23554, CVE-2026-23555