CVE-2026-23561
Xen · XAPI
A vulnerability in Xen XAPI allows a vm-admin to manipulate storage domain configurations, potentially causing host storage connections to be erroneously marked as unplugged.
Executive summary
A critical vulnerability in Xen XAPI allows unauthorized manipulation of storage domain settings, which can lead to service disruption and denial of service.
Vulnerability
This vulnerability allows a vm-admin to set VM.other_config:storage_driver_domain, marking a VM as the storage domain for a host storage connection (PBD). Shutting down the manipulated VM can cause the PBD to be incorrectly flagged as unplugged, leading to potential data access issues.
Business impact
This flaw can be leveraged to cause significant service disruption by inducing false storage unplug events. Given the CVSS score of 9.4, the risk of intentional denial of service against storage infrastructure is high, impacting the availability of all VMs dependent on that storage connection.
Remediation
Immediate Action: Update Xen XAPI to the latest version provided by the vendor; monitor the advisory at https://xenbits.xen.org/xsa/advisory-489.html for the latest patches.
Proactive Monitoring: Monitor PBD status logs for frequent or unexpected "unplugged" events and investigate any changes to storage domain configurations.
Compensating Controls: Restrict administrative privileges to prevent unauthorized modification of storage configuration parameters and maintain robust backups of storage metadata.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The potential for service disruption via storage manipulation is a significant operational risk. Organizations should prioritize patching this vulnerability and audit their environment to ensure no VM is currently misconfigured as an unauthorized storage domain.