Skip to main content

Xapi CVE-2025-58146

| EUVDEUVD-2025-210446 CRITICAL
Improper Input Validation (CWE-20)
2026-07-09 XEN GHSA-cfmg-797f-j883
9.4
CVSS 4.0 · Vendor: XEN
Share

Severity by source

Vendor (XEN) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (XEN) · only source for this CVE.

CVSS VectorVendor: XEN

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 16:30 vuln.today

DescriptionCVE.org

There are multiple issues.

  1. Updates to the XAPI database sanitise input strings, but try

generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing.

  1. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI

uses libraries which conform to the stricter v3.1 of the Unicode spec. This causes some strings to be accepted as valid UTF-8 by XAPI, but rejected by other libraries in use. Notably, such strings can be entered into the database, after which the database can no longer be loaded.

  1. There is no input sanitisation for Map/Set updates on objects in the

XAPI database.

AnalysisAI

Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.

Share

CVE-2025-58146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy