CVE-2026-23555
Published: 23 March 2026
Summary
CVE-2026-23555 is a high-severity Reachable Assertion (CWE-617) vulnerability in Xen Xen. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in xenstored's node path verification by applying patches from XSA-481, preventing crashes or CPU exhaustion from illegal paths like '/local/domain/'.
Implements robust error handling to avoid clobbered error indicators and failing asserts in xenstored, preventing denial-of-service crashes triggered by invalid guest inputs.
Enforces validation of Xenstore command inputs to reject illegal node paths such as '/local/domain/' before processing, stopping exploitation by unprivileged guests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description directly describes local exploitation of a Xen hypervisor component (xenstored) leading to application/system crash or resource exhaustion, which maps precisely to T1499.004 Application or System Exploitation for denial of service.
NVD Description
Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing…
more
assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.
Deeper analysisAI
CVE-2026-23555 affects xenstored, a component of the Xen hypervisor. The vulnerability arises when any guest issues a Xenstore command accessing the illegal node path "/local/domain/", causing a crash due to a clobbered error indicator during node path verification in xenstored. This crash is forced via a failing assert() statement. If xenstored is built with NDEBUG defined, an unprivileged guest accessing this path results in it no longer being serviced by xenstored, while other guests including dom0 continue to be serviced, though xenstored will consume all available CPU time.
An unprivileged guest can exploit this vulnerability with local access, low attack complexity, and no user interaction. Exploitation leads to a denial of service, either by crashing xenstored entirely or, in NDEBUG builds, by causing CPU exhaustion specific to the attacker's requests, as indicated by the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and associated CWE-617.
The Xen Project has issued Security Advisory 481 (XSA-481), available at https://xenbits.xenproject.org/xsa/advisory-481.html and http://xenbits.xen.org/xsa/advisory-481.html, detailing the issue. Further discussion appears on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/17/7.
Details
- CWE(s)