Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

XAPI VM.platform:hvm_serial RBAC privilege escalation

IdentifiersCVE-2026-42486CWE-269

CVE-2026-42486 is an RBAC enforcement flaw in XAPI, tracked in Xen Security Advisory XSA-489. A user with the lower-privileged vm-admin role can set the sensitive VM.platform:hvm_serial parameter even though modification of that key should be restricted to the pool-admin role. The issue stems from insufficient per-key authorization checks in the VM.platform setter path, allowing a privileged-but-not-fully-privileged administrator to modify a platform key whose security impact exceeds the general field-level permission model. The advisory and associated fix note that hvm_serial can enable arbitrary file write in dom0, making this an XAPI privilege-boundary bypass rather than a generic configuration weakness.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a vm-admin to exceed intended RBAC restrictions and effectively escalate privileges toward pool-admin-equivalent impact. Because the hvm_serial parameter can permit arbitrary dom0 file write, the flaw can lead to compromise of the control domain, with consequent risk to host integrity and management-plane trust. In practical terms, this can enable modification of files on dom0 and facilitate broader host-level compromise.

Mitigation

If you can’t patch tonight, do this now.

Until patched, disable RBAC subjects assigned lower-privileged administrator roles implicated by XSA-489, specifically vm-admin, vm-power-admin, or pool-operator, where operationally feasible. More specifically for this CVE, avoid assigning vm-admin to untrusted users in pools where RBAC is enabled, because the vulnerability is exposed only when non-fully-privileged administrative roles are in use.

Remediation

Patch, then assume compromise.

Apply the XAPI fixes referenced by XSA-489. The content states that the fixes were merged and backported and are available in XAPI releases v26.12.0 and v26.1.11. The underlying remediation is to enforce per-key RBAC checks on VM.platform setters so that sensitive keys such as hvm_serial are restricted to pool-admin. Upgrade affected XAPI/Xen-based platforms to vendor-provided builds containing these fixes.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-42486
NVD
nvd.nist.gov/vuln/detail/CVE-2026-42486
MITRE CWE · CWE-269
cwe.mitre.org