GHSA-qcp2-2xf6-hw26
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker is an already-running guest (AV:L, PR:L); guest exhausts host daemon affecting other domains (S:C); impact is availability-only DoS (C:N/I:N/A:H), unlike the input's high C/I.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description PRE-NVD
AnalysisAI
Denial of service in Xen's oxenstored (the OCaml Xenstore daemon) arises because quota-related use counts are not released when a domain is destroyed, per Xen Security Advisory 483 (XSA-483). A malicious or buggy guest can repeatedly create and destroy Xenstore state so that leaked accounting counters permanently consume quota, eventually preventing legitimate Xenstore operations and denying service to the host control plane and other domains. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
oxenstored is the OCaml reimplementation of xenstored, the daemon that manages the Xenstore - the shared hierarchical configuration/inter-domain communication database used by Xen for device setup, control, and paravirtualized driver negotiation. To prevent one guest from exhausting shared resources, xenstored enforces per-domain quotas tracked by use counters. XSA-483 reports that oxenstored fails to decrement these quota-related use counts when a domain is destroyed, so the accounting drifts upward over the lifecycle of domains. This maps to CWE-281 (Improper Preservation of Permissions) as classified in the input, reflecting improper handling of persistent per-domain state/accounting; the practical consequence is resource/quota accounting corruption rather than a memory-safety bug.
RemediationAI
Apply the fix from Xen Security Advisory 483 (https://xenbits.xen.org/xsa/advisory-483.html); patch available per vendor advisory, though an exact fixed version string was not included in the provided data, so pull the patched packages referenced in XSA-483 for your Xen branch. As a compensating control where immediate patching is not possible, switch the Xenstore daemon from oxenstored to the C xenstored if your deployment supports it (trade-off: behavioral/performance differences between the two implementations and a configuration change requiring host reconfiguration), and/or restrict the ability of untrusted guests to rapidly create and destroy domains and Xenstore state (trade-off: constrains legitimate automation/orchestration that spins domains up and down frequently). Monitor oxenstored quota accounting and restart the daemon/host if counters approach exhaustion as a stopgap.
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42600