Description
Any guest issuing a Xenstore command accessing a node using the
(illegal) node path "/local/domain/", will crash xenstored due to a
clobbered error indicator in xenstored when verifying the node path.

Note that the crash is forced via a failing assert() statement in
xenstored. In case xenstored is being built with NDEBUG #defined,
an unprivileged guest trying to access the node path "/local/domain/"
will result in it no longer being serviced by xenstored, other guests
(including dom0) will still be serviced, but xenstored will use up
all cpu time it can get.
Published: 2026-03-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Monitor
AI Analysis

Impact

A non‑privileged guest domain can issue a Xenstore command that references the illegal node path "/local/domain/". Xenstored verifies the path and, due to a clobbered error indicator, triggers a failing assert() statement. When built with NDEBUG, the assert is disabled and instead the process stalls, consuming all available CPU and ceasing to service additional requests. The result is a denial of service that affects the host and all other virtual machines, as xenstored is no longer responsive during the stall period.

Affected Systems

This vulnerability impacts the Xen hypervisor family, specifically the Xenstored component in all releases that include it. Administrators managing Xen‑based virtualized environments should be aware that any Xen installation prior to a patch that addresses the crash logic is vulnerable. Vendor and product names are Xen for the hypervisor.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is high severity, yet the EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild at the moment. The attack requires only an unprivileged guest within the same host and does not require external network access. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely available exploits as of now. Once a patch is released, the risk drops sharply, but until then, a malicious or compromised guest can exhaust host resources by engaging xenstored.

Generated by OpenCVE AI on April 10, 2026 at 21:53 UTC.

Remediation

Vendor Workaround

There is no known mitigation available.

OpenCVE Recommended Actions

  • Verify the Xen hypervisor version in use and consult Xen’s release notes for any post‑February 2026 updates that address the Xenstored crash.
  • Consider configuring Xen to disallow guest domains from accessing "/local/domain/" node paths via custom security policies, if available.
  • Monitor the Xenstored process for abnormal CPU usage or crash logs, and isolate or restart the host if the denial of service manifests.
  • Maintain an updated inventory of patch status for all Xen components to ensure rapid deployment once a fix is released.

Generated by OpenCVE AI on April 10, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Xen
Xen xen
Vendors & Products Xen
Xen xen

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Mon, 23 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.
Title Xenstored DoS by unprivileged domain
References

Subscriptions

Xen Xen
cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-03-23T14:14:02.810Z

Reserved: 2026-01-14T13:07:36.961Z

Link: CVE-2026-23555

cve-icon Vulnrichment

Updated: 2026-03-23T07:32:28.482Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T07:16:07.330

Modified: 2026-04-10T20:38:17.427

Link: CVE-2026-23555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:21Z

Weaknesses