Photo by Francisco Arnela

June 2026 Updates #1 for XCP-ng 8.3 LTS

Update Jun 2, 2026

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

Security vulnerabilities have been identified and fixed in the Linux kernel used by XCP-ng's control domain (dom0). Additional lower-priority maintenance updates are included in this release alongside these security fixes.

Note: we’re aware that the pace of updates has been higher than usual recently. This is largely due to the rise of AI-assisted security research, which has accelerated the discovery of new vulnerabilities. We understand that more frequent updates can create additional work for system administrators, but we believe it’s important to address security issues as quickly as possible and will continue to prioritize security and stability.

Picture of a green shield

🔒Security Updates

Linux kernel

As previously stated, the Linux kernel continues to undergo extensive security review. With the help of AI-assisted tools, multiple vulnerabilities (CVE-2026-46300, CVE-2026-46333, CVE-2026-43494) were discovered and patched to prevent exploitation through the associated techniques known as Fragnesia, ptrace_may_dream and Pintheft, and could allow an unprivileged local user to gain root privileges.

Note: in XCP-ng’s threat model, vulnerabilities of this type are treated as important, but their impact is considered limited because they require a malicious local unprivileged process to be running in the control domain in order to exploit them.

References: VSA-2026-014 (updated) - CVE-2026-46300 - VSA-2026-016 - CVE-2026-46333 - CVE-2026-43494

OpenSSH

As announced at the end of April, following the deprecation of ssh-rsa support in the OpenSSH server, this update will reject obsolete insecure clients. Please update ssh clients to recent versions (at least 7.2) or generate modern ED25519 key pairs.

🪲 Improvements and bugfixes

  • XAPI (XCP-ng's control plane): Allow USB passthrough of smartcards.
  • qemu (HW emulation): Fix a potential issue in guest memory mapping lookup.
  • edk2 (UEFI firmware): Fix issues while booting from physical CD/DVD drive. Raise UEFI guest vCPU limit to 128 vCPUs (was 96 vCPUs earlier due to a hardcoded upper limit in edk2).
  • ipxe (Network boot): Support PXE boot for BIOS VMs on a VLAN with 802.1Q priority tags.
  • dmidecode (System utility): Update to version 3.6 to be able to read type 42 tables (redfish).
  • a few other packages were rebuilt, without notable functional change.

Tags

Philippe Coval

Along with Samuel Verschelde

Recommended for you