May 2026 Security and Maintenance Updates for XCP-ng 8.3 LTS

New security and maintenance updates are available for XCP-ng 8.3 LTS.

This set of updates also marks the general availability of the QCOW2 disk format.

📋Summary

Security vulnerabilities have been detected and fixed in XAPI, in the Linux kernel and in XenClean, a utility used to remove old guest tools from a Windows VM.

Additionally, these updates introduce support for the QCOW2 disk format, an important milestone that enables the creation of VM disks larger than 2 TiB.

🔒Security Updates

Linux kernel - "Copy Fail"

The popular "Copy Fail" privilege escalation vulnerability also affects XCP-ng's control domain (dom0). Exploiting it requires already controlling a lower-privilege user on the system in the first place.

The update disables vulnerable IPSec ESN support. As a result, encrypted GPN performance may be reduced in some cases. A future patch may restore this feature with a proper fix, but the required code changes were too extensive for a quick resolution.

References: VSA-2026-013, CVE-2026-31431

XAPI

XAPI is XCP-ng's control plane.

Following last week's security update, two additional vulnerabilities related to the vm-admin role in XAPI were fixed.

As a reminder, XAPI's roles are not a feature that Xen Orchestra uses or exposes, so most users are not affected.

References: VSA-2026-011 (updated), XSA-489, CVE-2026-23562, CVE-2026-42486

Windows Guest Tools

The embedded guest tools ISO image, guest-tools.iso, was updated to fix VSA-2026-012: DLL sideloading vulnerability in XenClean and XenBootFix).

If your VM is running XCP-ng Windows Guest Tools 9.1.146, you don't need to update. You just need to replace any XenClean and XenBootFix files you downloaded.

The XenClean and XenBootFix directories contain fixed versions of the aforementioned tools.

XenTools-x64.msi has not changed from version 9.1.146, and is only provided as a convenience. The installation MSI does not include the fixed XenBootFix.