cvelistv5 - cve-2026-23555

CVE-2026-23555 (GCVE-0-2026-23555)

Vulnerability from cvelistv5

Published

2026-03-23 06:57

Modified

2026-03-23 14:14

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Summary

Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-481.html

Impacted products

	Vendor	Product	Version
	Xen	Xen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-23T07:32:28.482Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/17/7"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-481.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23555",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T14:11:41.150968Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-617",
                "description": "CWE-617 Reachable Assertion",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T14:14:02.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-481"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to\nXen 4.17 are not vulnerable.\n\nSystems using the C variant of xenstored are vulnerable. Systems using\nxenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not\nvulnerable."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Marek Marczykowski-G\u00f3reckiof\nInvisible Things Lab."
        }
      ],
      "datePublic": "2026-03-17T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host.\n\nIn case xenstored has been built with NDEBUG defined, an unprivileged\ndomain can force xenstored to be 100% busy, but without harming\nxenstored functionality for other guests otherwise."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T06:57:07.653Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-481.html"
        }
      ],
      "title": "Xenstored DoS by unprivileged domain",
      "workarounds": [
        {
          "lang": "en",
          "value": "There is no known mitigation available."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2026-23555",
    "datePublished": "2026-03-23T06:57:07.653Z",
    "dateReserved": "2026-01-14T13:07:36.961Z",
    "dateUpdated": "2026-03-23T14:14:02.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/17/7\"}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-481.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-23T07:32:28.482Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23555\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T14:11:41.150968Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-617\", \"description\": \"CWE-617 Reachable Assertion\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T14:13:08.843Z\"}}], \"cna\": {\"title\": \"Xenstored DoS by unprivileged domain\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Marek Marczykowski-G\\u00f3reckiof\\nInvisible Things Lab.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Any unprivileged domain can cause xenstored to crash, causing a\\nDoS (denial of service) for any Xenstore action. This will result\\nin an inability to perform further domain administration on the host.\\n\\nIn case xenstored has been built with NDEBUG defined, an unprivileged\\ndomain can force xenstored to be 100% busy, but without harming\\nxenstored functionality for other guests otherwise.\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-481\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-03-17T12:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-481.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There is no known mitigation available.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Any guest issuing a Xenstore command accessing a node using the\\n(illegal) node path \\\"/local/domain/\\\", will crash xenstored due to a\\nclobbered error indicator in xenstored when verifying the node path.\\n\\nNote that the crash is forced via a failing assert() statement in\\nxenstored. In case xenstored is being built with NDEBUG #defined,\\nan unprivileged guest trying to access the node path \\\"/local/domain/\\\"\\nwill result in it no longer being serviced by xenstored, other guests\\n(including dom0) will still be serviced, but xenstored will use up\\nall cpu time it can get.\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to\\nXen 4.17 are not vulnerable.\\n\\nSystems using the C variant of xenstored are vulnerable. Systems using\\nxenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not\\nvulnerable.\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2026-03-23T06:57:07.653Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23555\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T14:14:02.810Z\", \"dateReserved\": \"2026-01-14T13:07:36.961Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2026-03-23T06:57:07.653Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0304

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Xen. Elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	XEN	Xen	Xen versions 4.17.x sans le correctif de sécurité xsa480.patch
	XEN	Xen	Xen versions 4.18.x sans le correctif de sécurité xsa481.patch

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted