A tunnel of keys with neon pink, green, and blue colors

Photo by Chantha Pheuypraseuth

January 2026 Security and Maintenance Updates for XCP-ng 8.3 LTS

Update Jan 29, 2026

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

Security vulnerabilities have been detected and fixed for xen and varstored. In addition to this, the updated packages bring improvements and bug fixes which were queued for release.

⚠️
Some of the updates published today require action on your side to fully benefit from the improvements and prepare for the future.

For users currently running test packages that add support for the QCOW2 virtual disk format, please refer to this dedicated announcement for specific update instructions, or you will lose useful metadata.
Picture of a green shield

🔒Security Updates

XEN

Some Xen optimizations to avoid clearing internal CPU buffers when not required could allow one guest to leak data of another guest. This was disclosed as XSA-479. This update fixes it.

A mitigation can be applied without the fix by rebooting vulnerable Xen with spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv on the Xen command line, but at the cost of decreased performances.

Another vulnerability in Xen was disclosed and fixed at the same time: XSA-477. XCP-ng is not affected, as shadow paging is not supported in the 8.3 release.

References: VSA-2026-001, VSA-2026-003

Varstored

XSA-478 / CVE-2025-58151 affects varstored, the Xapi component handling UEFI variables for VMs.

Due to a time-of-check to time-of-use (TOCTOU) issue when processing a shared buffer from OVMF, a user with guest kernel-level access may influence control flow in varstored. A privileged user within a UEFI guest could use this flaw to escalate privileges to that of the user running varstored in dom0.

Reference: VSA-2026-002

Qemu

Backport for CVE-2021-3929, fixing a DMA reentrancy flaw in NVMe emulation that could lead to use-after-free from a malicious guest and potential arbitrary code execution.

🪲 Other bugfixes and improvements

Various improvements were implemented and bugs fixed by both XenServer developers and XCP-ng developers, thanks to the open source nature of the Xen Project and of many components that make XCP-ng.

Notable Improvements

  • intel-microcode has been updated to the microcode-20251111 release, which includes updates for multiple functional issues.
  • Prevent remote syslog from being overwritten by system updates.

Notable Bug Fixes

  • Fix regression on dynamic memory management, in XAPI, during live migration, causing VMs not to balloon down before the migration.
  • Bug fixes in the NFS and NBD stacks in the kernel for various deadlocks and other race conditions.
  • On the storage layer and in particular, XOSTOR:
    • Reduces the I/O load and time during resync in drbd.
    • Misc improvements regarding drbd-reactor and events.
    • Linstor:
      • Resource delete: Fixed rare race condition where a delayed DRBD event causes "resource not found" ErrorReports.
      • Misc changes to robustify LINSTOR API calls and checks

And various other fixes and internal improvements.

Tags

Gaël Duperrey

Along with Samuel Verschelde

Recommended for you