ALPINE-CVE-2026-42486

Source
https://security.alpinelinux.org/vuln/CVE-2026-42486
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-42486
Upstream
  • CVE-2026-42486
Withdrawn
2026-07-14T08:03:33.287049487Z
Published
2026-07-09T16:16:41.443Z
Modified
2026-07-14T08:03:33.287049869Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

  • CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

  • CVE-2026-23560: A vm-admin can set VM.other-config:issystemdomain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

  • CVE-2026-23561: A vm-admin can set VM.otherconfig:storagedriver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

  • CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

  • CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

References

Affected packages

Alpine:v3.20 / xen

Package

Name
xen
Purl
pkg:apk/alpine/xen?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json"

Alpine:v3.21 / xen

Package

Name
xen
Purl
pkg:apk/alpine/xen?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json"

Alpine:v3.22 / xen

Package

Name
xen
Purl
pkg:apk/alpine/xen?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json"

Alpine:v3.23 / xen

Package

Name
xen
Purl
pkg:apk/alpine/xen?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json"

Alpine:v3.24 / xen

Package

Name
xen
Purl
pkg:apk/alpine/xen?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42486.json"