Skip to main content

Xen oxenstored CVE-2026-23556

| EUVDEUVD-2026-42600 CRITICAL
Improper Preservation of Permissions (CWE-281)
9.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Attacker is an already-running guest (AV:L, PR:L); guest exhausts host daemon affecting other domains (S:C); impact is availability-only DoS (C:N/I:N/A:H), unlike the input's high C/I.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 16:51 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 06:45 oss-security
CRITICAL 9.4
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Denial of service in Xen's oxenstored (the OCaml Xenstore daemon) arises because quota-related use counts are not released when a domain is destroyed, per Xen Security Advisory 483 (XSA-483). A malicious or buggy guest can repeatedly create and destroy Xenstore state so that leaked accounting counters permanently consume quota, eventually preventing legitimate Xenstore operations and denying service to the host control plane and other domains. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

oxenstored is the OCaml reimplementation of xenstored, the daemon that manages the Xenstore - the shared hierarchical configuration/inter-domain communication database used by Xen for device setup, control, and paravirtualized driver negotiation. To prevent one guest from exhausting shared resources, xenstored enforces per-domain quotas tracked by use counters. XSA-483 reports that oxenstored fails to decrement these quota-related use counts when a domain is destroyed, so the accounting drifts upward over the lifecycle of domains. This maps to CWE-281 (Improper Preservation of Permissions) as classified in the input, reflecting improper handling of persistent per-domain state/accounting; the practical consequence is resource/quota accounting corruption rather than a memory-safety bug.

RemediationAI

Apply the fix from Xen Security Advisory 483 (https://xenbits.xen.org/xsa/advisory-483.html); patch available per vendor advisory, though an exact fixed version string was not included in the provided data, so pull the patched packages referenced in XSA-483 for your Xen branch. As a compensating control where immediate patching is not possible, switch the Xenstore daemon from oxenstored to the C xenstored if your deployment supports it (trade-off: behavioral/performance differences between the two implementations and a configuration change requiring host reconfiguration), and/or restrict the ability of untrusted guests to rapidly create and destroy domains and Xenstore state (trade-off: constrains legitimate automation/orchestration that spins domains up and down frequently). Monitor oxenstored quota accounting and restart the daemon/host if counters approach exhaustion as a stopgap.

Share

CVE-2026-23556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy