CVE-2026-42486
Deferred Deferred - Pending Action

Role-Based Access Control Bypass in XenServer XAPI

Vulnerability report for CVE-2026-42486, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xen xapi *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42486 is a vulnerability in the Xen XAPI system where a user with the vm-admin role can set the VM.platform:hvm_serial parameter. This parameter should only be modifiable by the pool-admin role, which has full privileges including root SSH access to the host.

Because vm-admins can modify this parameter improperly, they can write arbitrary files in dom0 (the host domain), which is a significant security risk.

Impact Analysis

This vulnerability allows a vm-admin, who normally has limited privileges, to write arbitrary files on the host system (dom0).

Such unauthorized file writes can lead to compromise of the host system, unauthorized modification of critical files, potential privilege escalation, and disruption of virtual machine operations.

Because the pool-admin role is fully privileged and can SSH as root, improper access to these capabilities by vm-admins can severely impact the security and stability of the entire virtualized environment.

Compliance Impact

CVE-2026-42486 allows a vm-admin to write arbitrary files in dom0 by setting the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role.

This vulnerability could lead to unauthorized modification of critical system files, potentially compromising system integrity and confidentiality.

Such unauthorized access and modification may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Mitigation Strategies

The vulnerability CVE-2026-42486 allows a vm-admin to set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role because it can allow arbitrary dom0 file write.

To mitigate this vulnerability, ensure that only users with the pool-admin role have permission to set the VM.platform:hvm_serial parameter.

Review and enforce Role Based Access Control (RBAC) settings to restrict vm-admin privileges from modifying this parameter.

Detection Guidance

Detection of this vulnerability involves identifying users assigned to roles such as vm-admin that have the ability to set VM.platform:hvm_serial, which should be restricted to pool-admins.

Since the vulnerability is related to Role Based Access Control (RBAC) misconfigurations in XAPI, you can check the roles assigned to users and audit any changes to VM parameters, especially VM.platform:hvm_serial.

Commands to detect potential exploitation or configuration issues might include:

  • Listing users and their roles in XAPI to identify vm-admin assignments.
  • Querying VM configurations to check if the VM.platform:hvm_serial parameter has been set or modified.
  • Reviewing audit logs for changes to VM.platform:hvm_serial or other suspicious VM parameter modifications.

Specific commands are not provided in the resources, but typical commands might include using `xe` CLI tools to list users and roles, and to inspect VM configurations, for example:

  • `xe user-list` to list users.
  • `xe role-list` to list roles.
  • `xe vm-param-list uuid=<vm-uuid>` to check VM parameters including VM.platform:hvm_serial.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart