Skip to main content

Xen CVE-2026-23555

| EUVDEUVD-2026-14383 HIGH
Reachable Assertion (CWE-617)
2026-03-23 XEN GHSA-hv7f-mhvh-6mf6
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 07:15 euvd
EUVD-2026-14383
Analysis Generated
Mar 23, 2026 - 07:15 vuln.today
CVE Published
Mar 23, 2026 - 06:57 nvd
HIGH 7.1

DescriptionCVE.org

Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path.

Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.

AnalysisAI

Xenstored on Ubuntu and Debian crashes when a guest VM submits a Xenstore command with an illegal node path "/local/domain/", causing a denial of service to that hypervisor component. An unprivileged guest can trigger this crash via a forced assert() statement, or if the service is built without debugging symbols, cause xenstored to consume excessive CPU resources while becoming unresponsive to further requests. No patch is currently available for this vulnerability.

Technical ContextAI

Xen is a bare-metal hypervisor that uses xenstored, a privileged daemon responsible for managing Xenstore—a hierarchical key-value store for inter-domain communication and configuration. The vulnerability resides in xenstored's path validation logic when processing guest-initiated Xenstore commands. The flaw involves improper error handling during node path verification; when a guest requests access to '/local/domain/' (an invalid path structure), the error indicator becomes corrupted during validation checks. This leads to either an assertion failure in debug builds or undefined behavior in production builds (NDEBUG), resulting in a tight loop consuming CPU resources. The affected CPE is cpe:2.3:a:xen:xen:*:*:*:*:*:*:*:*, indicating this affects all Xen versions, though remediation availability varies across distributions.

RemediationAI

Apply the security patch provided by the Xen project in XSA-481 (https://xenbits.xenproject.org/xsa/advisory-481.html) to xenstored. Ubuntu users should check their distribution's security advisory for patch availability across tracked releases and apply updates via apt or their package manager. Debian users should similarly apply patches from the Debian security team. In the interim, limit guest privileges to trusted workloads only and monitor xenstored CPU utilization for abnormal spikes. Consider restricting Xenstore command execution via policy mechanisms if available in your Xen configuration. Patching is the primary remediation; no workarounds fully mitigate the risk in production multi-tenant environments.

More in Xen

View all
CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2015-3456 HIGH POC
7.7 May 13

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2022-4949 HIGH POC
8.8 Jun 07

The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aj

CVE-2017-15595 HIGH POC
8.8 Oct 18

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recu

CVE-2017-7228 HIGH POC
8.2 Apr 04

An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. Rated

CVE-2015-5165 CRITICAL
9.3 Aug 12

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows

CVE-2015-8550 HIGH
8.2 Apr 14

Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (hos

CVE-2022-26364 MEDIUM POC
6.7 Jun 09

x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text exp

CVE-2017-10918 CRITICAL
10.0 Jul 05

Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obt

CVE-2017-10912 CRITICAL
10.0 Jul 05

Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217

CVE-2017-10921 CRITICAL
10.0 Jul 05

The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_h

Vendor StatusVendor

Ubuntu

Priority: Medium
xen
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

xen
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bullseye (security) vulnerable 4.14.5+94-ge49571868d-1 -
bookworm, bookworm (security) fixed 4.17.5+72-g01140da4e8-1 -
trixie vulnerable 4.20.2+37-g61ff35323e-0+deb13u1 -
trixie (security) vulnerable 4.20.2+7-g1badcf5035-0+deb13u1 -
forky, sid vulnerable 4.20.2+37-g61ff35323e-1 -
bookworm not-affected - -
(unstable) fixed (unfixed) unimportant

SUSE

Severity: High
Product Status
Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP7-SAP-EC2 Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-23555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy