CVE-2026-23559

Xen · XAPI

A privilege escalation vulnerability in Xen XAPI allows a vm-admin to manipulate arbitrary files in dom0 by misconfiguring VBD settings, leading to unauthorized read or write access.

Executive summary

A critical privilege escalation vulnerability in Xen XAPI allows unauthorized access to dom0, posing a significant risk to host integrity.

Vulnerability

This vulnerability occurs due to improper privilege restriction, where a user with the vm-admin role can set VBD.other_config:backend-local. This allows the attacker to map arbitrary files in dom0 as virtual disks and attach them to a VM they control, resulting in unauthorized file read or modification.

Business impact

The ability to read or modify files within the dom0 environment can lead to a total compromise of the virtualization host. Given the CVSS score of 9.4, this vulnerability represents a critical risk that could result in full system takeover, data exfiltration, and the subversion of all hosted virtual machines.

Remediation

Immediate Action: Update Xen XAPI to the latest version as soon as patches are released by the vendor; see the vendor advisory at https://xenbits.xen.org/xsa/advisory-489.html for specific guidance.

Proactive Monitoring: Audit virtual machine configuration changes and monitor for unauthorized attempts by users with vm-admin roles to modify VBD configurations.

Compensating Controls: Restrict administrative access to the XAPI management interface to trusted personnel and implement strict role-based access control (RBAC) policies.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability presents a severe risk to the underlying virtualization infrastructure. Administrators should prioritize applying vendor-supplied updates immediately and review current RBAC assignments to ensure that only necessary users possess the vm-admin role until a patch can be applied.