Detections
Analytics

Alpine: multiple xen packages: security update to 4.20.3-r4

critical Tenable Cloud Security Plugin ID 442839

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - Arm C1-Ultra, C1-Premium, Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1,
 Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C,
 Cortex-A77, Cortex-A76 & A76A may allow writes to resources owned by a higher exception level.
 (CVE-2025-10263)

 - HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are
 managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at
 any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing
 with updates, which was missing so far. (CVE-2026-42487)

 - Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU
 reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead
 to corruption of the mapcache. (CVE-2026-42488)

 - [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities
 correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a
 possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not
 be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not
 providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will,
 for some operations, occur ahead of any permission checking. This is CVE-2026-42490. (CVE-2026-42489,
 CVE-2026-42490)

Solution

Update the xen library and its related packages to version 4.20.3-r4 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2025-10263

https://security.alpinelinux.org/vuln/CVE-2026-42487

https://security.alpinelinux.org/vuln/CVE-2026-42488

https://security.alpinelinux.org/vuln/CVE-2026-42489

https://security.alpinelinux.org/vuln/CVE-2026-42490

Plugin Details

Severity: Critical

ID: 442839

Version: Revision 1.8

Type: Local

Published: 6/9/2026

Updated: 6/25/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-10263

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/9/2026

Reference Information

CVE: CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, CVE-2026-42490