CVE-2025-58146
Deferred Deferred - Pending Action

XAPI Database UTF-8 Handling Flaws Lead to Crash

Vulnerability report for CVE-2025-58146, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI uses libraries which conform to the stricter v3.1 of the Unicode spec. This causes some strings to be accepted as valid UTF-8 by XAPI, but rejected by other libraries in use. Notably, such strings can be entered into the database, after which the database can no longer be loaded. 3. There is no input sanitisation for Map/Set updates on objects in the XAPI database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
xen xapi *
xen xapi to 3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to deploy an updated version of XAPI that includes the provided patch addressing these vulnerabilities.

If the XAPI database is corrupted due to malformed UTF-8 strings, manual intervention is required to strip the bad characters from the database to restore normal operation.

Since there are no other mitigations available, patching XAPI promptly is critical to prevent denial of service caused by these issues.

During the embargo period, deployment of the patch is permitted under specific conditions, so organizations should plan to apply the update as soon as possible.

Executive Summary

CVE-2025-58146 is a vulnerability in XAPI, the Xen API management tool, involving multiple issues related to UTF-8 string handling.

  • First, XAPI sanitizes input strings for its database but generates notifications using unsanitized input, which causes the database's event thread to crash and stop processing.
  • Second, XAPI's UTF-8 encoder implements Unicode version 3.0, while it uses libraries that follow the stricter Unicode version 3.1. This mismatch allows some strings to be accepted by XAPI but rejected by other libraries, potentially corrupting the database and preventing it from loading.
  • Third, there is no input sanitization for Map/Set updates on objects in the XAPI database.
Impact Analysis

This vulnerability can be exploited to cause a Denial of Service (DoS) in the XAPI system.

  • The first two issues can be exploited by guest administrators to crash the database event thread or corrupt the database, causing it to enter a restart loop and cease normal operation.
  • The third issue can be exploited by authenticated API users to update Map/Set objects without input sanitization, potentially leading to further instability.

If the database becomes corrupted, manual intervention is required to remove bad characters to restore functionality.

All versions of XAPI are affected, and no mitigations are available other than deploying an updated patched version.

Detection Guidance

This vulnerability can be detected by observing the behavior of the XAPI database and its event thread. Specifically, if the database's event thread terminates and ceases further processing, or if XAPI enters a restart loop, these are indicators of the vulnerability being triggered.

Detection involves monitoring for crashes or restart loops of the XAPI service, which may be caused by unsanitized input strings or corrupted UTF-8 strings in the database.

Since the vulnerability relates to malformed UTF-8 strings and unsanitized input, commands to check the XAPI service status and logs can help detect issues. For example:

  • Check the status of the XAPI service: `systemctl status xapi`
  • Review XAPI logs for errors related to database event thread termination or UTF-8 encoding issues: `journalctl -u xapi` or check log files under `/var/log/xapi/`
  • Monitor for repeated restarts or crashes of the XAPI process using: `ps aux | grep xapi` or `systemctl is-failed xapi`

There are no specific commands provided in the resources for scanning or detecting malformed UTF-8 strings in the database, so manual log inspection and service monitoring are the primary detection methods.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart