HOMEVULNERABILITIESCVE-2026-31788
NONE

CVE-2026-31788

Published: March 25, 2026· Updated: Mar 30, 2026

EPSS:0.03%probability of exploitation in 30 daysPercentile:9.4th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: restrict usage in unprivileged domU

The Xen privcmd driver allows to issue arbitrary hypercalls from

user space processes. This is normally no problem, as access is

usually limited to root and the hypervisor will deny any hypercalls

affecting other domains.

In case the guest is booted using secure boot, however, the privcmd

driver would be enabling a root user process to modify e.g. kernel

memory contents, thus breaking the secure boot feature.

The only known case where an unprivileged domU is really needing to

use the privcmd driver is the case when it is acting as the device

model for another guest. In this case all hypercalls issued via the

privcmd driver will target that other guest.

Fortunately the privcmd driver can already be locked down to allow

only hypercalls targeting a specific domain, but this mode can be

activated from user land only today.

The target domain can be obtained from Xenstore, so when not running

in dom0 restrict the privcmd driver to that target domain from the

beginning, resolving the potential problem of breaking secure boot.

This is XSA-482

---

V2:

- defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich)

- wait in open() if target domain isn't known yet

- issue message in case no target domain found (Jan Beulich)

NVD Source

Technical Analysis

CVE-2026-31788 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (12)

Quick Facts

CVE IDCVE-2026-31788
SeverityNONE
CISA KEVNo
EPSS (30d)0.03%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31788 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.