CVE-2026-23556
Deferred Deferred - Pending Action

oxenstored Domain Quota Leak Leading to Resource Exhaustion

Vulnerability report for CVE-2026-23556, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
xen oxenstored to 4.17.x (inc)
xen xapi_oxenstored to 4.17.x (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23556 is a vulnerability in Xen's oxenstored component, where quota-related usage counts are not properly cleared when a domain is destroyed.

Although the node data is cleaned up during domain teardown, the usage counts remain leaked.

When the domain ID is reused, the new domain inherits these leaked usage counts, causing it to hit its quota limit prematurely and allowing it to create fewer nodes than expected.

A malicious domain can exploit this by repeatedly hitting its quota and rebooting, accelerating the exhaustion of node creation capacity.

Impact Analysis

This vulnerability can cause new domains that reuse domain IDs to be unable to create the expected number of nodes, effectively limiting their operation.

Over time, this can prevent new domains from functioning properly due to premature quota exhaustion.

A malicious actor could deliberately exploit this by repeatedly exceeding quotas and rebooting domains, accelerating the denial of service effect.

Mitigation Strategies

To mitigate the vulnerability in oxenstored, you should apply the available patches for Xen versions 4.18.x, 4.17.x, and XAPI oxenstored.

A live update of the xenstore daemon can also mitigate the problem temporarily.

Ensure that your system is using oxenstored (the Ocaml-based Xenstore daemon), as systems using xenstored (the C implementation) are not affected.

Downstream maintainers are advised to update to the latest stable branch before applying patches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart