Quick update now that Vates has published their official advisory.
First, kudos to the Vates security team for the thorough and timely response. VSA-2026-014 is well-documented and covers the full picture, including a third CVE I had not covered in my earlier posts.
VSA-2026-014 confirms what I outlined above: XCP-ng is affected by CVE-2026-43284 (XFRM-ESP) and is NOT affected by CVE-2026-43500 (no RxRPC support). The CVE I had missed: CVE-2026-46300 ("Fragnesia") also affects XCP-ng via the XFRM ESP-in-TCP subsystem. The same esp4/esp6 blacklist mitigation applies, with the same caveat @semarie raised: it will break encrypted private networks on XCP-ng.
Now that the VSA and official mitigation guidance are public, I'm releasing the diagnostic script I built. It's Python 3.6, no external dependencies, safe to run on production dom0. It tests whether an unprivileged process can engage the esp4 engine via the XFRM interface inside a user namespace — the precondition for CVE-2026-43284 — without touching any exploit code. Note it covers CVE-2026-43284 only, not CVE-2026-46300.
One important note before running it: please read the code before executing it on any of your systems. This is good practice with any script from the internet, regardless of the source. The code is intentionally short and straightforward so you can review it quickly and satisfy yourself that it does exactly what it says.
VSA-2026-014: https://docs.vates.tech/security/advisories/2026/vates-sa-2026-014/
Diagnostic tool: https://github.com/grabesec/XCP_ng_CVE-2026-43284_tester
A kernel patch from Vates is in progress. Apply as soon as it lands.
