{"api_version":"1","generated_at":"2026-04-22T21:39:58+00:00","cve":"CVE-2026-23555","urls":{"html":"https://cve.report/CVE-2026-23555","api":"https://cve.report/api/cve/CVE-2026-23555.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23555","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23555"},"summary":{"title":"Xenstored DoS by unprivileged domain","description":"Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get.","state":"PUBLISHED","assigner":"XEN","published_at":"2026-03-23 07:16:07","updated_at":"2026-04-10 20:38:17"},"problem_types":["CWE-617","CWE-617 CWE-617 Reachable Assertion"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/17/7","name":"http://www.openwall.com/lists/oss-security/2026/03/17/7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://xenbits.xenproject.org/xsa/advisory-481.html","name":"https://xenbits.xenproject.org/xsa/advisory-481.html","refsource":"security@xen.org","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://xenbits.xen.org/xsa/advisory-481.html","name":"http://xenbits.xen.org/xsa/advisory-481.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23555","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23555","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Xen","product":"Xen","version":"unknown consult Xen advisory XSA-481","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"There is no known mitigation available.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"This issue was discovered by Marek Marczykowski-Góreckiof\nInvisible Things Lab.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"23555","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"xen","cpe5":"xen","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23555","cve":"CVE-2026-23555","epss":"0.000150000","percentile":"0.032650000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:57"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-03-23T07:32:28.482Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/17/7"},{"url":"http://xenbits.xen.org/xsa/advisory-481.html"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-23555","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-23T14:11:41.150968Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-617","description":"CWE-617 Reachable Assertion","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-23T14:14:02.810Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unknown","product":"Xen","vendor":"Xen","versions":[{"status":"unknown","version":"consult Xen advisory XSA-481"}]}],"configurations":[{"lang":"en","value":"All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to\nXen 4.17 are not vulnerable.\n\nSystems using the C variant of xenstored are vulnerable. Systems using\nxenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not\nvulnerable."}],"credits":[{"lang":"en","type":"finder","value":"This issue was discovered by Marek Marczykowski-Góreckiof\nInvisible Things Lab."}],"datePublic":"2026-03-17T12:00:00.000Z","descriptions":[{"lang":"en","value":"Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get."}],"impacts":[{"descriptions":[{"lang":"en","value":"Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host.\n\nIn case xenstored has been built with NDEBUG defined, an unprivileged\ndomain can force xenstored to be 100% busy, but without harming\nxenstored functionality for other guests otherwise."}]}],"providerMetadata":{"dateUpdated":"2026-03-23T06:57:07.653Z","orgId":"23aa2041-22e1-471f-9209-9b7396fa234f","shortName":"XEN"},"references":[{"url":"https://xenbits.xenproject.org/xsa/advisory-481.html"}],"title":"Xenstored DoS by unprivileged domain","workarounds":[{"lang":"en","value":"There is no known mitigation available."}]}},"cveMetadata":{"assignerOrgId":"23aa2041-22e1-471f-9209-9b7396fa234f","assignerShortName":"XEN","cveId":"CVE-2026-23555","datePublished":"2026-03-23T06:57:07.653Z","dateReserved":"2026-01-14T13:07:36.961Z","dateUpdated":"2026-03-23T14:14:02.810Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-23 07:16:07","lastModifiedDate":"2026-04-10 20:38:17","problem_types":["CWE-617","CWE-617 CWE-617 Reachable Assertion"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":4},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*","versionStartIncluding":"4.18.0","matchCriteriaId":"242BBD5A-0BAE-4F89-8597-7D286D6C9E25"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23555","Ordinal":"1","Title":"Xenstored DoS by unprivileged domain","CVE":"CVE-2026-23555","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23555","Ordinal":"1","NoteData":"Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get.","Type":"Description","Title":"Xenstored DoS by unprivileged domain"}]}}}