The XCP-ng team has released the first batch of June 2026 updates for the 8.3 LTS branch. It’s a maintenance release that combines security patches with software fixes, and it needs host reboots to apply fully. If you run an XCP-ng cluster, plan a maintenance window before you start.
Kernel security patches
The headline is three Linux kernel vulnerabilities fixed by this update: CVE-2026-46300 (the Fragnesia technique), CVE-2026-46333 (ptrace_may_dream) and CVE-2026-43494 (Pintheft). All three let an unprivileged local user escalate to root.
It’s worth putting the risk in context. Exploiting them requires a malicious process already running inside the control domain (dom0). On a well-managed host, where only the systems team touches dom0, the attack surface is narrow. That’s no reason to sit on the patch, though, especially in setups where several people have console access.
End of ssh-rsa support
Another change that can catch an admin off guard: the SSH server now rejects connections using the ssh-rsa algorithm, deprecated for a while now. If you connect with an old client, the connection will fail.
The fix is to use an SSH client 7.2 or newer, or generate ED25519 key pairs, which are the recommended choice today. If you have automation scripts or management tools that connect to the hosts over SSH, check them before applying the update so you don’t lock yourself out.
Software improvements
Beyond security, this batch brings several concrete fixes:
- XAPI adds USB smartcard passthrough, handy for environments that rely on card-based authentication or electronic signing inside the VMs.
- QEMU fixes a potential guest memory mapping lookup issue.
- edk2 (UEFI) resolves boot problems from physical CD/DVD drives and, more notably, raises the per-VM vCPU ceiling from 96 to 128. For anyone building large database or compute VMs, that’s 32 more vCPUs of headroom.
- iPXE adds PXE boot for BIOS-mode VMs on VLANs with 802.1Q priority tags.
- dmidecode moves to version 3.6, which reads type 42 (Redfish) tables.
Who should care
Anyone running XCP-ng 8.3 LTS in production has enough reason to schedule the update with the kernel patches and the SSH change alone. For homelabbers with mixed hardware, the UEFI CD/DVD boot fix and iPXE-over-VLAN support may clear up specific headaches. And in companies with heavy workloads, the jump to 128 vCPUs per VM opens the door to consolidating machines that hit the old ceiling.
As always with XCP-ng, follow the official update guide and reboot hosts one at a time, respecting the pool order so you don’t lose availability. If you want to test first on a staging setup, there’s a community forum thread with feedback from people who have already rolled it out.