CVE-2026-23559
Xen · XAPI
A privilege escalation vulnerability in Xen XAPI allows a vm-admin to manipulate arbitrary files in dom0 by misconfiguring VBD settings, leading to unauthorized read or write access.
Executive summary
A critical privilege escalation vulnerability in Xen XAPI allows unauthorized access to dom0, posing a significant risk to host integrity.
Vulnerability
This vulnerability occurs due to improper privilege restriction, where a user with the vm-admin role can set VBD.other_config:backend-local. This allows the attacker to map arbitrary files in dom0 as virtual disks and attach them to a VM they control, resulting in unauthorized file read or modification.
Business impact
The ability to read or modify files within the dom0 environment can lead to a total compromise of the virtualization host. Given the CVSS score of 9.4, this vulnerability represents a critical risk that could result in full system takeover, data exfiltration, and the subversion of all hosted virtual machines.
Remediation
Immediate Action: Update Xen XAPI to the latest version as soon as patches are released by the vendor; see the vendor advisory at https://xenbits.xen.org/xsa/advisory-489.html for specific guidance.
Proactive Monitoring: Audit virtual machine configuration changes and monitor for unauthorized attempts by users with vm-admin roles to modify VBD configurations.
Compensating Controls: Restrict administrative access to the XAPI management interface to trusted personnel and implement strict role-based access control (RBAC) policies.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability presents a severe risk to the underlying virtualization infrastructure. Administrators should prioritize applying vendor-supplied updates immediately and review current RBAC assignments to ensure that only necessary users possess the vm-admin role until a patch can be applied.