CVE-2026-23555 PUBLISHED

Xenstored DoS by unprivileged domain

Assigner: XEN
Reserved: 14.01.2026 Published: 23.03.2026 Updated: 23.03.2026

Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path.

Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.

Product Status

Vendor	Xen
Product	Xen
Versions	Default: unknown Version consult Xen advisory XSA-481 is unknown

Affected Configurations

All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to Xen 4.17 are not vulnerable.

Systems using the C variant of xenstored are vulnerable. Systems using xenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not vulnerable.

Workarounds

There is no known mitigation available.

Credits

This issue was discovered by Marek Marczykowski-Góreckiof Invisible Things Lab. finder

References

https://xenbits.xenproject.org/xsa/advisory-481.html

Impacts

Any unprivileged domain can cause xenstored to crash, causing a DoS (denial of service) for any Xenstore action. This will result in an inability to perform further domain administration on the host. In case xenstored has been built with NDEBUG defined, an unprivileged domain can force xenstored to be 100% busy, but without harming xenstored functionality for other guests otherwise.