Description
Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from time‑of‑check, time‑of‑use race conditions in CloudStack’s resource count check and increment logic, coupled with missing validations. An adversary can create or manipulate resources in such a way that the actual usage exceeds the configured limits for an account or domain. This failure to honor quotas can exhaust cluster or host resources, degrading performance and ultimately causing denial of service. The weakness maps to Time‑of‑Check Time‑of‑Use (CWE‑367) and Resource Exhaustion (CWE‑770).

Affected Systems

The issue affects Apache CloudStack deployments managed by the Apache Software Foundation. Versions released prior to 4.20.3.0 or 4.22.0.1 are vulnerable, as the patch that corrects the race condition and enforces quota limits is included in those and later releases.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability presents moderate severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread known exploitation to date. However, since the attack requires ability to create resources beyond the configured quota, it is more likely to be exploited in multi‑tenant environments where users can submit resource requests that bypass the faulty quota checks. The potential impact of resource exhaustion makes the risk significant for operations that rely on consistent availability of network, compute, or storage resources.

Generated by OpenCVE AI on May 8, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CloudStack to version 4.20.3.0, 4.22.0.1, or later, which contains the fix for the race condition and quota enforcement.
  • If an upgrade cannot be performed immediately, implement tighter manual quota boundaries and monitor resource usage closely to detect and halt over‑consumption before it leads to service disruption.
  • Apply additional monitoring of host and cluster resource metrics, and configure alerts for when usage approaches the configured limits to enable rapid response.

Generated by OpenCVE AI on May 8, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*

Fri, 08 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Vendors & Products Apache
Apache cloudstack

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Title Apache CloudStack: Domain/account resources limits not honored
Weaknesses CWE-367
CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Apache Cloudstack
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-09T06:43:04.154Z

Reserved: 2025-12-29T23:06:38.269Z

Link: CVE-2025-69233

cve-icon Vulnrichment

Updated: 2026-05-09T06:43:04.154Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T13:16:35.993

Modified: 2026-05-09T07:16:08.847

Link: CVE-2025-69233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:45:08Z

Weaknesses