Combative Linux.

Photo by Cornelius Ventures

May 2026 Updates #3 for XCP-ng 8.3 LTS

Update May 21, 2026

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

Security vulnerabilities have been detected and fixed in Xen and in the Linux kernel.

We also publish other maintenance updates addressing various issues.

Picture of a green shield

🔒Security Updates

Xen

A vulnerability was found in AMD processors of Zen2 architecture which is vulnerable to a CPU opcode caching attack. This is filed by the Xen Project under XSA-490. This vulnerability could lead to a privilege escalation on the affected hardware, including from a guest to the host. The recommended action is to update Xen on your hosts with the latest version and ensure your firmware is up to date on your hosts.

💡
There was an updated amd-microcode package released in December of 2025 that include fixes for some AMD CPUs, but mostly covering consumer level products. It is recommended to check the related AMD Security Bulletin AMD-SB-7052 to verify if your hardware is covered in this update, as well as the Vates Security Advisory VSA-2026-015 that covers the caveats of the recent firmware upgrades on AMD based hardware.

References: VSA-2026-015 - XSA-490 - CVE-2025-54518 - AMD-SB-7052

Linux kernel

Since the recent "Copy Fail" privilege escalation vulnerability, security researchers have put a special focus on the Linux kernel, with more local privilege escalation vulnerabilities found every few days.

In this update, we address CVE-2026-43284 which is targeted by multiple popular exploits like DirtyFrag, CopyFail2 and DirtyFail.

References: VSA-2026-014 - CVE-2026-43284

Intel Microcode

We included the latest microcode update published by Intel, which, among other fixes, addresses INTEL-SA-01420.

⚠️
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

References: INTEL-SA-01420 - CVE-2025-35979

🪲 Improvements and bugfixes

  • SM (storage manager): fix an issue that could cause SR scans to fail and block operations on the SR (Storage Repository). Symptoms also include the presence of "list index out of range" in /var/log/SMLog. This issue impacts LVM-based SRs (local LVM, LVMoISCSI, LVMoHBA) when the "Purge snapshot data when using CBT." option is set in Xen Orchestra.
  • Xen: minor bugfixes, including calibration of various timers and handling of PCI devices when disabling SR-IOV.
  • XAPI (XCP-ng 's control plane): minor NUMA-related fixes.
  • XO Lite: upgrade dependencies with known security vulnerabilities. These vulnerabilities are not believed to affect XO Lite itself. They are fixed as defence-in-depth.

Tags

Samuel Verschelde

Along with Philippe Coval, David Morel

XCP-ng Lead Maintainer, Release Manager and Technical Product Manager. Open Source enthusiast since 2002.

Recommended for you