June 2026 Updates #2 for XCP-ng 8.3 LTS

Update Jun 23, 2026

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

This release batch contains security fixes for Xen and kernel as well as version updates, bug fixes and some improvements. The fixed vulnerabilities are not considered critical and are fixed as defence-in-depth.

🔒Security Updates

Xen

Several vulnerabilities have been discovered since the last update, two of them affecting XCP-ng. We rated them as low (see references for full details).

XSA-491 - x86 HVM I/O port list traversal: Fixed via extra synchronization to prevent an hypervisor crash caused by an attack from an HVM guest. This only applies to hosts running x86 HVM guests where the device model (e.g., QEMU) is controlled or compromised. This could cause a Denial of Service (DoS) of the entire host, possible privilege escalation and information leaks. Given the security model of XCP-ng, this is unlikely to have actual impact for our products.
XSA-492 - domctl lock open to abuse: This could also cause a DoS. An attacker with control over a less privileged entity may stall an equally or more privileged entity, potentially leading to a Denial of Service (DoS) of up to the entire host. For XCP-ng the code path of this vulnerability (XSM/Flask) is not used and cannot be exploited.

XCP-ng is not impacted by the other two vulnerabilities (XSA-493 and XSA-494) as PV guests and ARM CPUs are not supported. This update still includes the fix for XSA-494 to align with security standards.

References:

VSA-2026-017 (XSA-491, CVE-2026-42487)
VSA-2026-018 (XSA-492, CVE-2026-42489 - CVE-2026-42490)
VSA-2026-019 (CVE-2025-10263, XSA-493)
VSA-2026-020 (CVE-2026-42488, XSA-494)

Linux Kernel

Kernel is getting stronger overtime with fixes of new discovered vulnerabilities. A recent exploit nicknamed CIFSwitch could allow privilege escalation. It leverages a newly found vulnerability in the SMB filesystem driver. Fixes were backported from mainline.

Note: in XCP-ng’s threat model, vulnerabilities of this type are treated as important, but their impact is considered limited because they require a malicious local unprivileged process to be running in the control domain in order to exploit them.

References: VSA-2026-021 (CVE-2026-46243)

Other changes

lldpd (optional package, not installed by default): Fix a buffer over-read when processing the "VLAN tags" from an Ethernet frame.
- References: VSA-2026-022 (CVE-2026-46433)

🪲 Improvements and bugfixes

Xen

A feature has been added to report the temperature on Intel CPUs using the xenpm get-core-temp command. AMD CPUs users will have to rely on a different method to expose the temperature, which does not require this xenpm-based approach. It should already work with plain sensors (through k10temp), but note that the driver may not be up to date for recent AMD CPUs.

XOSTOR

kmod-drbd: Update to 9.2.18. Adding improvements for XOSTOR stability when evacuating/evicting an host (it should be updated along xcp-ng-release-linstor before rebooting the system).

Note: linstor packages themselves have not been updated, only kmod-drbd and xcp-ng-release-linstor.

XAPI

XAPI is XCP-ng's control plane, it is updated to 26.1.11 and adds the following fixes and improvements:

Fix an issue where a newly installed host wouldn't be able to join a pool due to incompatible features exposed by storage.
Fix shutdown VMs not being migratable due to errors generated when the VM was running.
Allow moving VMs back to DHCP from static IP with configure_ipv4/6.

Drivers and firmware

intel-microcode: Fix a hang on boot on some platforms (Revert Granite Rapids AP/SP ucode back to IPU 2026.1).
intel-ice: Update to 2.4.5 to adds support for E825-C and E830, Link Aggregation (LAG) as well as various other improvements on stability, performance and bug-fixes.
mpi3mr-module: Update to version 8.17.1, adding newly supported SAS5116 devices.
mellanox-mlnxen-alt (optional): Fix build error with kernel 4.19.19-8.0.42.1+. Non functional changes.

Other changes

grub: Sync with XenServer 8.4. Fix a rare out-of-memory error.
dracut: Fix to force reboot/shutdown/halt. Fix an issue where the omission of 'override' kernel modules from the initrd image could, in rare instances, prevent a freshly installed XCP-ng host from booting.
kexec-tools: Sync with XenServer. Add checks to reboot a crashed host if kernel crash handling doesn't complete.
stunnel: Fixed stunnel only considering one of the self-signed certificates with the same DN.
xcp-ng-pv-tools: Update to XCP-ng Windows Guest Tools 9.1.200.