On 9 June 2026 the Xen Project published four security advisories at once, numbered XSA-491 through XSA-494. They affect the hypervisor on x86 and, in one case, ARM. If you run Xen virtualisation hosts, take each one separately, because the exposure conditions differ.
XSA-494 (CVE-2026-42488): mismatched mapcache metadata
This is the most serious of the four. The advisory is titled “x86: mismatched mapcache metadata”. The bug sits in the shadow paging error paths: when page tables are switched, those paths fail to update the vCPU references correctly. That leaves a mismatch between the loaded page tables and the mapcache metadata, which can lead to memory corruption.
The advisory lists three possible consequences: privilege escalation, denial of service affecting the entire host, and information leaks. The reassuring part is that the conditions are narrow. Only 64-bit PV guests running in shadow mode are affected, a configuration used during guest migration or as an XSA-273 workaround. Vulnerable versions are Xen 4.15 and later, specifically any version with the XSA-438 fix applied.
If you don’t run shadow mode with 64-bit PV guests, you’re not exposed. As mitigation, the project suggests deploying only HVM or PVH guests, or running PV guests inside the PV shim. Qubes OS, for instance, is not affected because it disables shadow paging at build time.
XSA-491 (CVE-2026-42487): HVM I/O port list traversal
The second relevant advisory is titled “x86 HVM I/O port list traversal”. Here a device model controlling HVM guests can crash the hypervisor, causing a host-wide denial of service. The advisory does not rule out privilege escalation or information leaks.
The root cause: device model I/O port mappings use linked lists that can be modified at any time through XEN_DOMCTL_ioport_mapping calls. The hypervisor’s traversal of these lists lacks synchronisation with those updates, which was missing until now. Exploitation requires control of a device model running in stub domains or a de-privileged Dom0.
All releases from Xen 3.2 onwards are confirmed vulnerable; earlier versions were not inspected. It affects x86 only and HVM guests only. Running PV or PVH guests exclusively avoids the issue. This is the only one of the four that affects Qubes OS, covered in their QSB-115 bulletin.
XSA-492 and XSA-493
The other two advisories from the same day are narrower. XSA-492 is classified as denial of service only. XSA-493 affects ARM systems only, which is why Qubes OS, which does not run on ARM, is out of scope.
What to do
Apply the Xen Project patches. For XSA-494 there are patches for xen-unstable and the stable branches from 4.17.x to 4.21.x; for XSA-491, the files xsa491.patch (xen-unstable) and xsa491-4.21.patch (4.21.x down to 4.17.x). If your setup runs only HVM or PVH guests, XSA-494 doesn’t reach you; if you run only PV or PVH, neither does XSA-491. Confirm your configuration before assuming you’re safe.
This isn’t the first time Xen’s shadow paging has caused trouble. Early in 2026 there was a similar case with Xen XSA-477 (CVE-2025-58150), a buffer overflow in the tracing code with shadow paging active.
Source
- Qubes OS — XSAs released on 2026-06-09: https://www.qubes-os.org/news/2026/06/09/xsas-released-on-2026-06-09/
- NVD — CVE-2026-42488: https://nvd.nist.gov/vuln/detail/CVE-2026-42488
- NVD — CVE-2026-42487: https://nvd.nist.gov/vuln/detail/CVE-2026-42487