EUVD-2026-14383

| CVE-2026-23555 HIGH
2026-03-23 XEN GHSA-hv7f-mhvh-6mf6
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 07:15 euvd
EUVD-2026-14383
Analysis Generated
Mar 23, 2026 - 07:15 vuln.today
CVE Published
Mar 23, 2026 - 06:57 nvd
HIGH 7.1

Tags

Denial Of Service

Description

Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.

Analysis

Xenstored on Ubuntu and Debian crashes when a guest VM submits a Xenstore command with an illegal node path "/local/domain/", causing a denial of service to that hypervisor component. An unprivileged guest can trigger this crash via a forced assert() statement, or if the service is built without debugging symbols, cause xenstored to consume excessive CPU resources while becoming unresponsive to further requests. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Vendor Status

Ubuntu

Priority: Medium
xen
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

xen
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bullseye (security) vulnerable 4.14.5+94-ge49571868d-1 -
bookworm, bookworm (security) fixed 4.17.5+72-g01140da4e8-1 -
trixie vulnerable 4.20.2+37-g61ff35323e-0+deb13u1 -
trixie (security) vulnerable 4.20.2+7-g1badcf5035-0+deb13u1 -
forky, sid vulnerable 4.20.2+37-g61ff35323e-1 -
bookworm not-affected - -
(unstable) fixed (unfixed) unimportant

Share

EUVD-2026-14383 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy