April 2026 Security and Maintenance Updates for XCP-ng 8.3 LTS

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📋Summary

Security vulnerabilities have been detected and fixed in Xen, oxenstored, XAPI, and OpenSSH. In addition to this, the updated packages bring bug fixes and small improvements which were queued for release.

Note: although we recommend to update immediately to fix the security vulnerabilities, we want to let you know that more updates are planned in the coming days.

🔒Security Updates

Xen

• oxenstored would not reset the quotas attached to a domain ID on domain tear down. Malicious privileged code in a guest domain could prevent other domains from starting (Denial-of-Service), by exhausting its current quotas, rebooting in a loop, and waiting for its previous domain IDs to be recycled to other domains.
  • References: VSA-2026-007, CVE-2026-23556, XSA-483
• Earlier security fixes for XSA-379 and XSA-387 were incomplete. Incorrect locking still allowed a guest changing from grant table version two to table grant version one to access Xen pages that were de-allocated. Malicious privileged code in a HVM or PVH guest domain could use this use-after-free flaw to potentially escalate its privileges to hypervisor level.
  • References: VSA-2026-008, CVE-2026-23558, XSA-486
• AMD processors of Zen1 micro-architecture are vulnerable to a side-channel attack leaking floating point registers of certain AVX/SSE instructions. This could allow malicious guests to leak floating point data from other guest domains. There are no other mitigations than rebooting onto a Xen version addressing this vulnerability, which uses a chicken bit in the AMD64_FP_CFG MSR to prevent the micro-architectural leaks as per AMD recommendations.
  • References: VSA-2026-010, CVE-2025-54505, XSA-488

XAPI

Several privilege escalation vulnerabilities were disclosed and fixed in XAPI. They may allow a privileged XAPI user with the vm-admin role to escalate their privileges to those of the root user in the control domain (dom0).

However, these vulnerabilities depend on XAPI’s advanced RBAC roles feature, which is not enabled or exposed in Xen Orchestra, XO Lite, or any of our standard documentation. In practice, the escalation path requires a specific setup: an XCP-ng pool connected to Active Directory for its user management, where a user is explicitly granted VM configuration rights (vm-admin XAPI role). As written above, Xen Orchestra doesn't rely on XAPI roles, so XO users managed via Active Directory can't leverage by this vulnerability.

• References: VSA-2026-011, CVE-2026-23559, CVE-2026-23560, CVE-2026-23561

OpenSSH

• Update to version 9.8p1
  • Deprecate old OpenSSH clients (7.2 and lower) that use the weak SHA1 with ssh-rsa. A warning will ask users to use an up to date client. On the next update, such weak configurations will be rejected.
• Two extra security fixes were backported from version 10.3:
  • In authorized_keys, when principals="" was defined along with a CA with a common CA, an interpretation error occurred, which could lead to unauthorized access.
  • When any ECDSA algorithm was enabled, it caused all ECDSA algorithms to become active, regardless of their individual configurations. (By default, all ECDSA algorithms are enabled.)
  • References: VSA-2026-009, CVE-2026-35414

🪲 Improvements and bugfixes

Various bugs were fixed and improvements made by both XCP-ng developers and XenServer developers, thanks to the open source nature of the Xen Project and of many components that make XCP-ng.

XAPI plugins - SDN controller

A new version of the XAPI plugin supporting the new traffic rules has been released, this improves on the previous BETA making it more reliable, and properly clean rules that could be leftover previously.

To make this possible the communication between the XAPI plugin and Xen Orchestra's SDN Controller was modified. The soon to be released Xen Orchestra update will take advantage of this and allow for a better experience.

Guest tools ISO image

• Update to XCP-ng Windows PV Tools 9.1.146.0.
• Include the XSTDVGA driver and improvements to the guest agent/installer.

XO Lite

Updated to 0.20.0

• [VM/New] Added secureBoot support
• [Dashboard] Fix reactivity of dashboard
• [VM] Fixed duplicated ip addresses in the network tab
• [Stats] Return null instead of 0 when no stats available
• [Treeview/Pool/Host] Add button to download bugtools

Kernel

• Fix regarding use of the correct MAC address in the rndis_host driver.
• Backport fix regarding a potential bug in the ext4 driver (CVE-2020-14314).
• Backports fixes in SUNRPC (related to NFS). This prevents host crashes under some circumstances.

Optional drivers updated

• qlogic-fastlinq-alt: updated to version 8.74.6.0
  • Fixes 2 issues in the qede module driver:
    • Driver does not retain configured MAC and MTU post reset recovery
    • Driver does not recover from TX timeout error
• emulex-lpfc-alt: version 14.4.393.31
  • Initial alternate driver which handles newer Emulex lpfc devices.
• sfc-module-alt: version 5.3.18.1012
  • Initial alternate driver for Solarflare SFN5XXX|6XXX|7XXX|8XXX|X2, version 5.3.18.1012

More information about alternate drivers: https://docs.xcp-ng.org/installation/hardware/#-alternate-drivers

Other changes

• gnutls : packaging fix.
• net-snmp: packaging fix.
• Install traceroute by default to ease the troubleshooting of connectivity problems.

We want to thank everyone who was involved in preparing these updates, including XCP-ng's user community who took part in pre-release tests.