CVE-2025-69233
Race Condition in Apache CloudStack Allows Resource Exhaustion
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cloudstack | From 4.21.0.0 (inc) to 4.22.0.1 (exc) |
| apache | cloudstack | From 4.0.0 (inc) to 4.20.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability arises from multiple time-of-check time-of-use (TOCTOU) race conditions in the resource count check and increment logic, combined with missing validations. Because of these issues, users of the platform can exceed the allocation limits set for their accounts or domains.
Essentially, the system fails to properly enforce resource limits due to timing and validation flaws, allowing attackers to consume more resources than allowed.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can degrade the infrastructure's resources by exceeding allocation limits, which can lead to denial of service (DoS) conditions.
This means legitimate users may experience service interruptions or degraded performance due to resource exhaustion caused by malicious users.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.