Search
Find a vulnerability
Search criteria
1182 vulnerabilities by Xen
CVE-2026-42486 (GCVE-0-2026-42486)
Vulnerability from nvd – Published: 2026-07-09 15:16 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:43.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:16:34.880Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42486",
"datePublished": "2026-07-09T15:16:34.880Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-07-10T03:55:43.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23562 (GCVE-0-2026-23562)
Vulnerability from nvd – Published: 2026-07-09 15:15 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:42.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:15:24.093Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23562",
"datePublished": "2026-07-09T15:15:24.093Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:42.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23561 (GCVE-0-2026-23561)
Vulnerability from nvd – Published: 2026-07-09 15:13 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:44.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:13:50.370Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23561",
"datePublished": "2026-07-09T15:13:22.160Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:44.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23560 (GCVE-0-2026-23560)
Vulnerability from nvd – Published: 2026-07-09 15:12 – Updated: 2026-07-09 16:08
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:08:07.196380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:08:13.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:12:00.013Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23560",
"datePublished": "2026-07-09T15:12:00.013Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:08:13.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23559 (GCVE-0-2026-23559)
Vulnerability from nvd – Published: 2026-07-09 15:09 – Updated: 2026-07-09 16:02
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-29 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:02:25.587757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:02:32.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-29T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n \u003ca href=\"https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\"\u003ehttps://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003c/a\u003e\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write.\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles \n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:09:51.762Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23559",
"datePublished": "2026-07-09T15:09:51.762Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:02:32.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23556 (GCVE-0-2026-23556)
Vulnerability from nvd – Published: 2026-07-09 14:48 – Updated: 2026-07-09 15:37
VLAI
EPSS
VEX
Title
oxenstored keeps quota related use counts across domain destruction
Summary
When oxenstored is tearing a domain down, the node data is cleaned up
but the usage counts are leaked.
When the domain ID is eventually reused, the new domain can create fewer
nodes before beeing deemed to be over quota.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper preservation of permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | oxenstored |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:06:25.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-483.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:34:22.728700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:37:46.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "oxenstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eWhen oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.\u003c/pre\u003e"
}
],
"value": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota."
}
],
"impacts": [
{
"capecId": "CAPEC-548",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-548 Contaminate Resource"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper preservation of permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:48:56.630Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "oxenstored keeps quota related use counts across domain destruction",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23556",
"datePublished": "2026-07-09T14:48:56.630Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T15:37:46.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58151 (GCVE-0-2025-58151)
Vulnerability from nvd – Published: 2026-07-09 14:45 – Updated: 2026-07-09 15:41
VLAI
EPSS
VEX
Title
varstored: TOCTOU issues with mapped guest memory
Summary
varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM. It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.
Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.
The exact vulnerable behaviour depends on the code generated by the
compiler. In a build of varstored using default settings, the attacker
can control an index used in a jump table.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
References
Date Public
2026-01-27 13:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:05:08.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/2"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-478.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:40:36.292177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:41:25.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "varstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates."
}
],
"datePublic": "2026-01-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003evarstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table.\u003c/pre\u003e"
}
],
"value": "varstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:45:16.531Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-478.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "varstored: TOCTOU issues with mapped guest memory",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58151",
"datePublished": "2026-07-09T14:45:16.531Z",
"dateReserved": "2025-08-26T06:48:41.444Z",
"dateUpdated": "2026-07-09T15:41:25.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58146 (GCVE-0-2025-58146)
Vulnerability from nvd – Published: 2026-07-09 14:42 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
XAPI UTF-8 string handling
Summary
There are multiple issues.
1. Updates to the XAPI database sanitise input strings, but try
generating the notification using the unsanitised input. This
causes the database's event thread to terminate and cease further
processing.
2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
uses libraries which conform to the stricter v3.1 of the Unicode
spec. This causes some strings to be accepted as valid UTF-8 by
XAPI, but rejected by other libraries in use. Notably, such strings
can be entered into the database, after which the database can no
longer be loaded.
3. There is no input sanitisation for Map/Set updates on objects in the
XAPI database.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
Date Public
2025-09-09 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:04:54.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-474.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:50.376243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:56.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Edwin T\u00f6r\u00f6k from XenServer."
}
],
"datePublic": "2025-09-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eThere are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database.\u003c/pre\u003e"
}
],
"value": "There are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:42:22.690Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-474.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XAPI UTF-8 string handling",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58146",
"datePublished": "2026-07-09T14:42:22.690Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2026-07-09T16:07:56.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27464 (GCVE-0-2025-27464)
Vulnerability from nvd – Published: 2026-07-09 14:35 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:34.962961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:40.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:35:38.440Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27464",
"datePublished": "2026-07-09T14:35:38.440Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:07:40.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27463 (GCVE-0-2025-27463)
Vulnerability from nvd – Published: 2026-07-09 14:29 – Updated: 2026-07-09 15:52
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:51:32.481576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:52:14.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:29:49.625Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27463",
"datePublished": "2026-07-09T14:29:49.625Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T15:52:14.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27462 (GCVE-0-2025-27462)
Vulnerability from nvd – Published: 2026-07-09 14:27 – Updated: 2026-07-09 16:06
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
The Windows PV drivers expose various facilities to userspace. Several
of these have no security descriptor, and are therefore fully accessible
to unprivileged users. These are:
1. XenCons, CVE-2025-27462
2. XenIface, CVE-2025-27463
3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:06:53.503103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:06:58.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:27:03.467Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27462",
"datePublished": "2026-07-09T14:27:03.467Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:06:58.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42490 (GCVE-0-2026-42490)
Vulnerability from nvd – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:47.308725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:50.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.257Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42490",
"datePublished": "2026-06-18T13:47:13.257Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:50.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42489 (GCVE-0-2026-42489)
Vulnerability from nvd – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:27.888372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:32.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.198Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42489",
"datePublished": "2026-06-18T13:47:13.198Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:32.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42488 (GCVE-0-2026-42488)
Vulnerability from nvd – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86: mismatched mapcache metadata
Summary
Some shadow paging errors paths will switch the page-tables without
updating the currently running vCPU reference. This causes a mismatch
between the loaded page-tables and the mapcache metadata which can lead
to corruption of the mapcache.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:02:17.385668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:03:20.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:35.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-494.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-494"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.15 and onwards are vulnerable. Any Xen version with the fix for\nXSA-438 applied is vulnerable.\n\nOnly x86 systems are vulnerable. Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode. Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF)."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Some shadow paging errors paths will switch the page-tables without\nupdating the currently running vCPU reference. This causes a mismatch\nbetween the loaded page-tables and the mapcache metadata which can lead\nto corruption of the mapcache."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:23.838Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-494.html"
}
],
"title": "x86: mismatched mapcache metadata",
"workarounds": [
{
"lang": "en",
"value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42488",
"datePublished": "2026-06-18T13:47:23.838Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:35.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42487 (GCVE-0-2026-42487)
Vulnerability from nvd – Published: 2026-06-18 13:46 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86 HVM I/O port list traversal
Summary
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Severity
7.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T14:35:06.701148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T14:35:11.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:31.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-491.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-491"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly entities controlling HVM guests can leverage the vulnerability.\nThese are device models running in either a stub domain or de-privileged\nin Dom0."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HVM guest I/O port accesses are subject to either emulation or at least\ntranslation. Translations are managed by the device model (via\nXEN_DOMCTL_ioport_mapping), and hence the linked list used may changed\nat any time. Traversal of those lists (while handling guest I/O port\naccesses) therefore needs synchronizing with updates, which was missing\nso far."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A device model of a HVM guest can cause a hypervisor crash, causing a\nDenial of Service (DoS) of the entire host. Privilege escalation and\ninformation leaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:46:53.459Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-491.html"
}
],
"title": "x86 HVM I/O port list traversal",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or PVH guests will avoid the vulnerability.\n\n(Switching from a device model stub domain or a de-privileged device\nmodel to a fully privileged Dom0 device model does NOT mitigate this\nvulnerability. Rather, it simply recategorises the vulnerability to\nhostile management code, regarding it \"as designed\"; thus it merely\nreclassifies these issues as \"not a bug\". The security of a Xen system\nusing stub domains is still better than with a qemu-dm running as a Dom0\nprocess. Users and vendors of stub qemu dm systems should not change\ntheir configuration to use a Dom0 qemu process.)"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42487",
"datePublished": "2026-06-18T13:46:53.459Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:31.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42486 (GCVE-0-2026-42486)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:16 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:43.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:16:34.880Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42486",
"datePublished": "2026-07-09T15:16:34.880Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-07-10T03:55:43.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23562 (GCVE-0-2026-23562)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:15 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:42.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:15:24.093Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23562",
"datePublished": "2026-07-09T15:15:24.093Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:42.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23561 (GCVE-0-2026-23561)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:13 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:44.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:13:50.370Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23561",
"datePublished": "2026-07-09T15:13:22.160Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:44.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23560 (GCVE-0-2026-23560)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:12 – Updated: 2026-07-09 16:08
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:08:07.196380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:08:13.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:12:00.013Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23560",
"datePublished": "2026-07-09T15:12:00.013Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:08:13.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23559 (GCVE-0-2026-23559)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:09 – Updated: 2026-07-09 16:02
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-29 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:02:25.587757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:02:32.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-29T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n \u003ca href=\"https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\"\u003ehttps://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003c/a\u003e\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write.\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles \n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:09:51.762Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23559",
"datePublished": "2026-07-09T15:09:51.762Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:02:32.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23556 (GCVE-0-2026-23556)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:48 – Updated: 2026-07-09 15:37
VLAI
EPSS
VEX
Title
oxenstored keeps quota related use counts across domain destruction
Summary
When oxenstored is tearing a domain down, the node data is cleaned up
but the usage counts are leaked.
When the domain ID is eventually reused, the new domain can create fewer
nodes before beeing deemed to be over quota.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper preservation of permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | oxenstored |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:06:25.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-483.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:34:22.728700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:37:46.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "oxenstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eWhen oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.\u003c/pre\u003e"
}
],
"value": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota."
}
],
"impacts": [
{
"capecId": "CAPEC-548",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-548 Contaminate Resource"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper preservation of permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:48:56.630Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "oxenstored keeps quota related use counts across domain destruction",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23556",
"datePublished": "2026-07-09T14:48:56.630Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T15:37:46.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58151 (GCVE-0-2025-58151)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:45 – Updated: 2026-07-09 15:41
VLAI
EPSS
VEX
Title
varstored: TOCTOU issues with mapped guest memory
Summary
varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM. It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.
Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.
The exact vulnerable behaviour depends on the code generated by the
compiler. In a build of varstored using default settings, the attacker
can control an index used in a jump table.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
References
Date Public
2026-01-27 13:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:05:08.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/2"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-478.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:40:36.292177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:41:25.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "varstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates."
}
],
"datePublic": "2026-01-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003evarstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table.\u003c/pre\u003e"
}
],
"value": "varstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:45:16.531Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-478.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "varstored: TOCTOU issues with mapped guest memory",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58151",
"datePublished": "2026-07-09T14:45:16.531Z",
"dateReserved": "2025-08-26T06:48:41.444Z",
"dateUpdated": "2026-07-09T15:41:25.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58146 (GCVE-0-2025-58146)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:42 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
XAPI UTF-8 string handling
Summary
There are multiple issues.
1. Updates to the XAPI database sanitise input strings, but try
generating the notification using the unsanitised input. This
causes the database's event thread to terminate and cease further
processing.
2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
uses libraries which conform to the stricter v3.1 of the Unicode
spec. This causes some strings to be accepted as valid UTF-8 by
XAPI, but rejected by other libraries in use. Notably, such strings
can be entered into the database, after which the database can no
longer be loaded.
3. There is no input sanitisation for Map/Set updates on objects in the
XAPI database.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
Date Public
2025-09-09 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:04:54.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-474.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:50.376243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:56.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Edwin T\u00f6r\u00f6k from XenServer."
}
],
"datePublic": "2025-09-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eThere are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database.\u003c/pre\u003e"
}
],
"value": "There are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:42:22.690Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-474.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XAPI UTF-8 string handling",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58146",
"datePublished": "2026-07-09T14:42:22.690Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2026-07-09T16:07:56.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27464 (GCVE-0-2025-27464)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:35 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:34.962961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:40.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:35:38.440Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27464",
"datePublished": "2026-07-09T14:35:38.440Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:07:40.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27463 (GCVE-0-2025-27463)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:29 – Updated: 2026-07-09 15:52
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:51:32.481576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:52:14.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:29:49.625Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27463",
"datePublished": "2026-07-09T14:29:49.625Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T15:52:14.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27462 (GCVE-0-2025-27462)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:27 – Updated: 2026-07-09 16:06
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
The Windows PV drivers expose various facilities to userspace. Several
of these have no security descriptor, and are therefore fully accessible
to unprivileged users. These are:
1. XenCons, CVE-2025-27462
2. XenIface, CVE-2025-27463
3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:06:53.503103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:06:58.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:27:03.467Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27462",
"datePublished": "2026-07-09T14:27:03.467Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:06:58.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42488 (GCVE-0-2026-42488)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86: mismatched mapcache metadata
Summary
Some shadow paging errors paths will switch the page-tables without
updating the currently running vCPU reference. This causes a mismatch
between the loaded page-tables and the mapcache metadata which can lead
to corruption of the mapcache.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:02:17.385668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:03:20.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:35.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-494.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-494"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.15 and onwards are vulnerable. Any Xen version with the fix for\nXSA-438 applied is vulnerable.\n\nOnly x86 systems are vulnerable. Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode. Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF)."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Some shadow paging errors paths will switch the page-tables without\nupdating the currently running vCPU reference. This causes a mismatch\nbetween the loaded page-tables and the mapcache metadata which can lead\nto corruption of the mapcache."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:23.838Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-494.html"
}
],
"title": "x86: mismatched mapcache metadata",
"workarounds": [
{
"lang": "en",
"value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42488",
"datePublished": "2026-06-18T13:47:23.838Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:35.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42490 (GCVE-0-2026-42490)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:47.308725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:50.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.257Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42490",
"datePublished": "2026-06-18T13:47:13.257Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:50.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42489 (GCVE-0-2026-42489)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:27.888372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:32.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.198Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42489",
"datePublished": "2026-06-18T13:47:13.198Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:32.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42487 (GCVE-0-2026-42487)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:46 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86 HVM I/O port list traversal
Summary
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Severity
7.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T14:35:06.701148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T14:35:11.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:31.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-491.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-491"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly entities controlling HVM guests can leverage the vulnerability.\nThese are device models running in either a stub domain or de-privileged\nin Dom0."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HVM guest I/O port accesses are subject to either emulation or at least\ntranslation. Translations are managed by the device model (via\nXEN_DOMCTL_ioport_mapping), and hence the linked list used may changed\nat any time. Traversal of those lists (while handling guest I/O port\naccesses) therefore needs synchronizing with updates, which was missing\nso far."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A device model of a HVM guest can cause a hypervisor crash, causing a\nDenial of Service (DoS) of the entire host. Privilege escalation and\ninformation leaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:46:53.459Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-491.html"
}
],
"title": "x86 HVM I/O port list traversal",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or PVH guests will avoid the vulnerability.\n\n(Switching from a device model stub domain or a de-privileged device\nmodel to a fully privileged Dom0 device model does NOT mitigate this\nvulnerability. Rather, it simply recategorises the vulnerability to\nhostile management code, regarding it \"as designed\"; thus it merely\nreclassifies these issues as \"not a bug\". The security of a Xen system\nusing stub domains is still better than with a qemu-dm running as a Dom0\nprocess. Users and vendors of stub qemu dm systems should not change\ntheir configuration to use a Dom0 qemu process.)"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42487",
"datePublished": "2026-06-18T13:46:53.459Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:31.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}