References: CVE-2026-23554: https://www.openwall.com/lists/oss-security/2026/03/17/6 CVE-2026-23555: https://www.openwall.com/lists/oss-security/2026/03/17/7 Mageia 9 is only affected by CVE-2026-23554.
Flags: (none) => affects_mga9+CVE: (none) => CVE-2026-23554, CVE-2026-23555Status comment: (none) => Patches available from upstreamSource RPM: (none) => xen-4.20.2-2.mga10.src.rpm, xen-4.17.5-1.git20251028.2.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: Use after free of paging structures in EPT. (CVE-2026-23554) References: https://www.openwall.com/lists/oss-security/2026/03/17/6 ======================== Updated packages in core/updates_testing: ======================== lib(64)xen-devel-4.17.5-1.git20251028.3.mga9 lib(64)xen3.0-4.17.5-1.git20251028.3.mga9 ocaml-xen-4.17.5-1.git20251028.3.mga9 ocaml-xen-devel-4.17.5-1.git20251028.3.mga9 xen-4.17.5-1.git20251028.3.mga9 xen-hypervisor-4.17.5-1.git20251028.3.mga9 xen-licenses-4.17.5-1.git20251028.3.mga9 xen-runtime-4.17.5-1.git20251028.3.mga9 from SRPM: xen-4.17.5-1.git20251028.3.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Patches available from upstream => (none)Flags: affects_mga9+ => (none)Source RPM: xen-4.20.2-2.mga10.src.rpm, xen-4.17.5-1.git20251028.2.mga9.src.rpm => xen-4.17.5-1.git20251028.2.mga9.src.rpmWhiteboard: MGA9TOO => (none)CVE: CVE-2026-23554, CVE-2026-23555 => CVE-2026-23554Assignee: bugsquad => qa-bugsVersion: Cauldron => 9
Keywords: (none) => advisory
Mageia9, x86_64 Installed the release packages and then updated using qarepo. No problems there but not having any knowledge of hypervisors have to leave things there. Not able to experiment because it has been impossible to install virtualboxes on my existing systems for the last two or three years and any previous vboxes have now disappeared due to the demise of their hosts. So, good as far as updating goes but actual testing must depend on other users.
CC: (none) => tarazed25
clean update should be enough, still can't test th Mageia with Xen Hypervisor item in grub
Whiteboard: (none) => MGA9-64-OK
In reply to Len Lawrence in comment 2: The hardware is all ASUS based so probably not vulnerable to the EPT bug. In reply to katnatek in comment 3 - noted.
MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics. Started Gnome Boxes, which had not been run in months on this system, ran an existing MGA9 Plasma VM, to make sure it was still working before the update. The following 2 packages are going to be installed: - lib64xen3.0-4.17.5-1.git20251028.3.mga9.x86_64 - xen-licenses-4.17.5-1.git20251028.3.mga9.x86_64 8B of additional disk space will be used. 673KB of packages will be retrieved. No installation issues. Ran Boxes again, and started the VM. Expanded it to full screen, used Gwenview to look at some photos. Started MCC and went after updates - 160 in all, including glibc and a kernel. Rebooted to a still-functioning desktop. No issues noted, looks OK to me. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
The advisory contains a different version number than given in comment 1. I'm taking the liberty of changing it since that's the only version in updates_testing and matches the version shown to have been tested in comment 5.
CC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0068.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED