ALPINE-CVE-2026-42490
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-42490
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-42490.json
- JSON Data
- https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-42490
- Upstream
- Published
- 2026-06-18T14:17:25.600Z
- Modified
- 2026-06-22T16:30:06.406399633Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.
- References
Affected packages
Alpine:v3.20 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source
Alpine:v3.21 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source
Alpine:v3.22 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source
Alpine:v3.23 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source