-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23555 / XSA-481 version 2 Xenstored DoS by unprivileged domain UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get. IMPACT ====== Any unprivileged domain can cause xenstored to crash, causing a DoS (denial of service) for any Xenstore action. This will result in an inability to perform further domain administration on the host. In case xenstored has been built with NDEBUG defined, an unprivileged domain can force xenstored to be 100% busy, but without harming xenstored functionality for other guests otherwise. VULNERABLE SYSTEMS ================== All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to Xen 4.17 are not vulnerable. Systems using the C variant of xenstored are vulnerable. Systems using xenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not vulnerable. MITIGATION ========== There is no known mitigation available. CREDITS ======= This issue was discovered by Marek Marczykowski-Góreckiof Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa481.patch xen-unstable - Xen 4.18.x $ sha256sum xsa481* 148147e4545a4670578c0f24aa136f67bc203c7b18ec980b8cc80cfbb04ace68 xsa481.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. Switching xenstored with oxenstored or xenstore-stubdom is not permitted as a mitigation, as this is a guest visible change of the configuration. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmm5Q1sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKmYIAKOrz2ZWyIQyEJCuci+pavN6zG8/qgBhoRhzB2gJ piwk6CDr0gB2LseEePPLbl+yoGmNxNVtXjgCNyWVbCA2HaCnPsENOOkZkUhwffN/ fXVMJHC43YdiaknKTKc8QoRn0poiPLIBQE2eXpIMVo9J7FoPkqQZYM1DS6B5x/q3 FWyKjHWwnGRv2pzRAm6mx22bu6wNpzYsfD2qCUe4d08njC3+iFLn1az+9XwF+Yw6 nS51gB2KjzRoGNhfepwzHC9R2cysYQdySFbAbskcGBTTD2FI9D+k6fBbXc7Tuj4T v+JqgQMkmQitJepE875VWxfFAR2PTRcBbL2ev6tQvA1x5mQ= =Bv72 -----END PGP SIGNATURE-----