Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
99 vulnerabilities by Cloud Software Group
MOKSHA-2026-0010 (moksha-2026-0010)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Block Device Path Injection via PBD.device_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. A systemroot check protects the host root device, but does not protect other partitions, additional disks, remote block devices, or other VMs' local storage. Data destruction on arbitrary accessible block devices results.
Severity
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. A systemroot check protects the host root device, but does not protect other partitions, additional disks, remote block devices, or other VMs\u0027 local storage. Data destruction on arbitrary accessible block devices results."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:L/SA:H",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0010"
}
],
"title": "Block Device Path Injection via PBD.device_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0010"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0010",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0078 (moksha-2026-0078)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Guest Clock Manipulation via VDI.other_config timeoffset
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the guest VM's RTC clock by setting the timeoffset key in VDI.other_config. When a VDI has on_boot=reset, the VDI-level timeoffset overrides the VM platform setting during domain creation (xapi_xenops.ml:312-327). No type validation enforces the expected integer format - arbitrary strings are accepted. Corrupted guest clock affects Windows license validation, certificate expiration, Kerberos authentication, and audit trail integrity. The field has no map_keys_roles entries for infrastructure keys.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the guest VM\u0027s RTC clock by setting the timeoffset key in VDI.other_config. When a VDI has on_boot=reset, the VDI-level timeoffset overrides the VM platform setting during domain creation (xapi_xenops.ml:312-327). No type validation enforces the expected integer format - arbitrary strings are accepted. Corrupted guest clock affects Windows license validation, certificate expiration, Kerberos authentication, and audit trail integrity. The field has no map_keys_roles entries for infrastructure keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0078"
}
],
"title": "Guest Clock Manipulation via VDI.other_config timeoffset"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0078"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0078",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0072 (moksha-2026-0072)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
SR Scan Interval Manipulation via Host.other_config auto-scan-interval
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the SR scanning interval by writing an arbitrary float value to Host.other_config:auto-scan-interval. The value is read at xapi_sr.ml:166-168 with float_of_string and no range validation. Setting 0.001 causes continuous SR scanning (CPU/IO exhaustion); setting 999999999 effectively disables scanning (storage state blindness). The field has no map_keys_roles entries for infrastructure keys.
Severity
4.9 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the SR scanning interval by writing an arbitrary float value to Host.other_config:auto-scan-interval. The value is read at xapi_sr.ml:166-168 with float_of_string and no range validation. Setting 0.001 causes continuous SR scanning (CPU/IO exhaustion); setting 999999999 effectively disables scanning (storage state blindness). The field has no map_keys_roles entries for infrastructure keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0072"
}
],
"title": "SR Scan Interval Manipulation via Host.other_config auto-scan-interval"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0072"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0072",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0024 (moksha-2026-0024)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
NFS Mount Option Injection via PBD.device_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary NFS mount options via PBD.device_config:options when creating an NFS storage repository. The NFSSR driver appends these options directly to the mount.nfs command without sanitization. An attacker can inject sec=none to disable NFS authentication, noac to cause performance denial of service, or ro to force read-only access. The attack was confirmed via live testing with all checks passing.
Severity
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary NFS mount options via PBD.device_config:options when creating an NFS storage repository. The NFSSR driver appends these options directly to the mount.nfs command without sanitization. An attacker can inject sec=none to disable NFS authentication, noac to cause performance denial of service, or ro to force read-only access. The attack was confirmed via live testing with all checks passing."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0024"
}
],
"title": "NFS Mount Option Injection via PBD.device_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0024"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0024",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0042 (moksha-2026-0042)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
SMTP Server Redirection / Credential Exfiltration via Pool.other_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all pool alert emails through an attacker-controlled SMTP server by writing ssmtp-mailhub and related ssmtp-* keys to Pool.other_config. The mail-alarm script uses these keys as unsanitized macro replacements in the ssmtp configuration template, enabling SMTP server redirection, alert data exfiltration, and potential SMTP credential theft.
Severity
6.5 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all pool alert emails through an attacker-controlled SMTP server by writing ssmtp-mailhub and related ssmtp-* keys to Pool.other_config. The mail-alarm script uses these keys as unsanitized macro replacements in the ssmtp configuration template, enabling SMTP server redirection, alert data exfiltration, and potential SMTP credential theft."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0042"
}
],
"title": "SMTP Server Redirection / Credential Exfiltration via Pool.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0042"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0042",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0015 (moksha-2026-0015)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
VHD Format Flag Corruption via SR.sm_config use_vhd
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause complete data loss for all VDIs on an LVHD storage repository by removing the use_vhd key from SR.sm_config. This key determines whether the LVHDSR driver operates in VHD format or raw LV mode. Removing it causes the driver to fall back to raw LV mode on the next PBD plug cycle. VHD-format VDIs accessed in raw mode produce garbage data, and raw-mode writes corrupt VHD metadata structures, resulting in unrecoverable data loss for every VDI on the affected SR.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause complete data loss for all VDIs on an LVHD storage repository by removing the use_vhd key from SR.sm_config. This key determines whether the LVHDSR driver operates in VHD format or raw LV mode. Removing it causes the driver to fall back to raw LV mode on the next PBD plug cycle. VHD-format VDIs accessed in raw mode produce garbage data, and raw-mode writes corrupt VHD metadata structures, resulting in unrecoverable data loss for every VDI on the affected SR."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0015"
}
],
"title": "VHD Format Flag Corruption via SR.sm_config use_vhd"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0015"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0015",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0057 (moksha-2026-0057)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
FIST Namespace Exposure via VM.xenstore_data
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject FIST/-prefixed keys into VM.xenstore_data, polluting the Fault Injection Service Testing namespace. The FIST prefix is included in allowed_xsdata_prefixes at domain.ml:164, allowing these keys to pass through the xenopsd filter. While XAPI's actual fault injection reads /tmp/fist_* files on disk (not xenstore), the namespace pollution persists across VM restarts and establishes a pre-positioned injection path for future xenstore-based FIST consumption.
Severity
5.3 (Medium)
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject FIST/-prefixed keys into VM.xenstore_data, polluting the Fault Injection Service Testing namespace. The FIST prefix is included in allowed_xsdata_prefixes at domain.ml:164, allowing these keys to pass through the xenopsd filter. While XAPI\u0027s actual fault injection reads /tmp/fist_* files on disk (not xenstore), the namespace pollution persists across VM restarts and establishes a pre-positioned injection path for future xenstore-based FIST consumption."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0057"
}
],
"title": "FIST Namespace Exposure via VM.xenstore_data"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0057"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0057",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0051 (moksha-2026-0051)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Config Drive Misidentification via VDI.other_config config-drive
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can mark any VDI as a cloud-init config drive by setting config-drive=true in VDI.other_config. The key is defined in xapi_globs.ml as a sync key and consumed during migration and import operations. Guest cloud-init agents misinterpret the flagged VDI's contents as trusted hypervisor-provided metadata, potentially initializing the guest with attacker-controlled configuration.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can mark any VDI as a cloud-init config drive by setting config-drive=true in VDI.other_config. The key is defined in xapi_globs.ml as a sync key and consumed during migration and import operations. Guest cloud-init agents misinterpret the flagged VDI\u0027s contents as trusted hypervisor-provided metadata, potentially initializing the guest with attacker-controlled configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0051"
}
],
"title": "Config Drive Misidentification via VDI.other_config config-drive"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0051"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0051",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0007 (moksha-2026-0007)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Backend-Kind I/O Driver Type Confusion via VBD.other_config
Summary
A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can change the storage I/O backend driver for any VBD by writing to VBD.other_config:backend-kind. This key selects whether kernel blkback or userspace tapdisk handles I/O. An attacker can force a VBD to use an unexpected backend, bypassing tapdisk-level access controls, monitoring, and VHD chain processing. The key has no per-key RBAC protection and accepts arbitrary values.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can change the storage I/O backend driver for any VBD by writing to VBD.other_config:backend-kind. This key selects whether kernel blkback or userspace tapdisk handles I/O. An attacker can force a VBD to use an unexpected backend, bypassing tapdisk-level access controls, monitoring, and VHD chain processing. The key has no per-key RBAC protection and accepts arbitrary values."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0007"
}
],
"title": "Backend-Kind I/O Driver Type Confusion via VBD.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0007"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0007",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0026 (moksha-2026-0026)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Python Module Import Injection via Host.other_config multipathhandle
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a controlled Python module name via Host.other_config:multipathhandle. The SM driver SR._mpathinit() passes this value to Python __import__() as mpath_<value>. Combined with a file write primitive (provided by BOC-1), an attacker places a malicious .py file in /opt/xensource/sm/ and triggers import as root during the next SR operation. Standalone exploitation requires pool-operator plus an independent file write capability.
Severity
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a controlled Python module name via Host.other_config:multipathhandle. The SM driver SR._mpathinit() passes this value to Python __import__() as mpath_\u003cvalue\u003e. Combined with a file write primitive (provided by BOC-1), an attacker places a malicious .py file in /opt/xensource/sm/ and triggers import as root during the next SR operation. Standalone exploitation requires pool-operator plus an independent file write capability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0026"
}
],
"title": "Python Module Import Injection via Host.other_config multipathhandle"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0026"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0026",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0048 (moksha-2026-0048)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Storage Availability Disruption via Host.other_config multipathing
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable multipath I/O redundancy on a host by writing multipathing=false to Host.other_config. SM drivers read this key during initialization and switch to single-path I/O. If the single remaining storage path fails, all VMs on that storage become unavailable. The field has no map_keys_roles protection for infrastructure keys, and the degradation produces no warnings or alerts.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable multipath I/O redundancy on a host by writing multipathing=false to Host.other_config. SM drivers read this key during initialization and switch to single-path I/O. If the single remaining storage path fails, all VMs on that storage become unavailable. The field has no map_keys_roles protection for infrastructure keys, and the degradation produces no warnings or alerts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0048"
}
],
"title": "Storage Availability Disruption via Host.other_config multipathing"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0048"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0048",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0002 (moksha-2026-0002)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Storage Protocol Injection via sm_config
Summary
A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can write arbitrary key-value pairs to VDI.sm_config and SR.sm_config. These fields store internal storage driver state including VHD chain metadata, GC control flags, and encryption key hashes. XAPI performs zero validation and never notifies the storage backend. SM drivers consume the attacker's data as authoritative internal state, turning the hypervisor into a silent proxy that forwards corrupted commands to the storage subsystem through the trusted management channel. Seven exploitation scenarios are confirmed with live evidence including VHD chain severance, SR-wide crash, GC misdirection, and storage saturation.
Severity
9.9 (Critical)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can write arbitrary key-value pairs to VDI.sm_config and SR.sm_config. These fields store internal storage driver state including VHD chain metadata, GC control flags, and encryption key hashes. XAPI performs zero validation and never notifies the storage backend. SM drivers consume the attacker\u0027s data as authoritative internal state, turning the hypervisor into a silent proxy that forwards corrupted commands to the storage subsystem through the trusted management channel. Seven exploitation scenarios are confirmed with live evidence including VHD chain severance, SR-wide crash, GC misdirection, and storage saturation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0002"
}
],
"title": "Storage Protocol Injection via sm_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0002"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0002",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0036 (moksha-2026-0036)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
LVM Configuration Injection via SR.other_config lvm-conf
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary LVM configuration by setting SR.other_config:lvm-conf to a crafted value. The value is interpolated into --config devices{VALUE} in LVM commands executed by SM drivers without sanitization. The LVM --config parameter accepts arbitrary configuration overrides including device filter rules, enabling device filter manipulation that affects which block devices LVM operates on across storage repositories.
Severity
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary LVM configuration by setting SR.other_config:lvm-conf to a crafted value. The value is interpolated into --config devices{VALUE} in LVM commands executed by SM drivers without sanitization. The LVM --config parameter accepts arbitrary configuration overrides including device filter rules, enabling device filter manipulation that affects which block devices LVM operates on across storage repositories."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0036"
}
],
"title": "LVM Configuration Injection via SR.other_config lvm-conf"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0036"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0036",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0038 (moksha-2026-0038)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Provisioning Type Manipulation via SR.sm_config allocation
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage provisioning behavior by modifying or removing the allocation key in SR.sm_config after SR creation. The key controls whether LVHD SRs use thin or thick provisioning. Changing allocation from thin to thick causes new VDIs to pre-allocate full LV size instead of thin-provisioning. On overcommitted SRs, this causes immediate storage exhaustion. Restoring the key does not shrink already-inflated LVs - recovery requires storage migration.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage provisioning behavior by modifying or removing the allocation key in SR.sm_config after SR creation. The key controls whether LVHD SRs use thin or thick provisioning. Changing allocation from thin to thick causes new VDIs to pre-allocate full LV size instead of thin-provisioning. On overcommitted SRs, this causes immediate storage exhaustion. Restoring the key does not shrink already-inflated LVs - recovery requires storage migration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0038"
}
],
"title": "Provisioning Type Manipulation via SR.sm_config allocation"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0038"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0038",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0069 (moksha-2026-0069)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Hypervisor Security Feature Manipulation via VM.platform (nx/hap)
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable CPU security features by writing to VM.platform keys. Setting nx=false removes DEP protection, hap=false forces shadow paging, nested-virt=true expands the hypervisor attack surface, and extreme max_grant_frames/max_maptrack_frames values cause resource exhaustion. The field has zero map_keys_roles entries - all security-critical hypervisor keys are writable by the lowest delegated management role.
Severity
5.3 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable CPU security features by writing to VM.platform keys. Setting nx=false removes DEP protection, hap=false forces shadow paging, nested-virt=true expands the hypervisor attack surface, and extreme max_grant_frames/max_maptrack_frames values cause resource exhaustion. The field has zero map_keys_roles entries - all security-critical hypervisor keys are writable by the lowest delegated management role."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0069"
}
],
"title": "Hypervisor Security Feature Manipulation via VM.platform (nx/hap)"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0069"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0069",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0025 (moksha-2026-0025)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations, but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. This is an SR-level variant of the SMC-1 storage protocol injection vector.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations, but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. This is an SR-level variant of the SMC-1 storage protocol injection vector."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0025"
}
],
"title": "Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0025"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0025",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0060 (moksha-2026-0060)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Arbitrary Integer Passthrough to ionice via VBD.qos_algorithm_params
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can pass arbitrary integer values to the Linux ionice binary via the class key in VBD.qos_algorithm_params. The qos_class parser at xapi_xenops.ml:595-600 accepts any integer via Other(int_of_string s), and Ionice.to_class_param passes Other x directly as the -n argument. No range validation is performed - valid range is 0-7 but negative and extreme values are accepted. Kernel behavior with out-of-range ionice values is undefined. Changes take effect immediately without VBD replug.
Severity
5.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can pass arbitrary integer values to the Linux ionice binary via the class key in VBD.qos_algorithm_params. The qos_class parser at xapi_xenops.ml:595-600 accepts any integer via Other(int_of_string s), and Ionice.to_class_param passes Other x directly as the -n argument. No range validation is performed - valid range is 0-7 but negative and extreme values are accepted. Kernel behavior with out-of-range ionice values is undefined. Changes take effect immediately without VBD replug."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0060"
}
],
"title": "Arbitrary Integer Passthrough to ionice via VBD.qos_algorithm_params"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0060"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0060",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0035 (moksha-2026-0035)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
iSCSI Initiator Identity Spoofing via Host.other_config iscsi_iqn
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can overwrite the host's iSCSI initiator identity by setting Host.other_config:iscsi_iqn to an arbitrary IQN string. The XAPI event watcher thread syncs this value to /etc/iscsi/initiatorname.iscsi without format validation. All subsequent iSCSI operations use the spoofed initiator name. Storage targets using IQN-based ACLs grant access based on the spoofed identity, enabling unauthorized access to LUNs belonging to other hosts or tenants.
Severity
6.8 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can overwrite the host\u0027s iSCSI initiator identity by setting Host.other_config:iscsi_iqn to an arbitrary IQN string. The XAPI event watcher thread syncs this value to /etc/iscsi/initiatorname.iscsi without format validation. All subsequent iSCSI operations use the spoofed initiator name. Storage targets using IQN-based ACLs grant access based on the spoofed identity, enabling unauthorized access to LUNs belonging to other hosts or tenants."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0035"
}
],
"title": "iSCSI Initiator Identity Spoofing via Host.other_config iscsi_iqn"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0035"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0035",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0083 (moksha-2026-0083)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Boot Order Manipulation via VM.HVM_boot_params order
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary boot order string in VM.HVM_boot_params:order. The value is passed verbatim to QEMU as the -boot order argument at device.ml:3957-3958. XAPI performs no validation beyond replacing empty values with the default. QEMU ignores unrecognized characters, limiting impact to forcing PXE network boot when the attacker controls DHCP/PXE infrastructure. The field has zero map_keys_roles entries.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary boot order string in VM.HVM_boot_params:order. The value is passed verbatim to QEMU as the -boot order argument at device.ml:3957-3958. XAPI performs no validation beyond replacing empty values with the default. QEMU ignores unrecognized characters, limiting impact to forcing PXE network boot when the attacker controls DHCP/PXE infrastructure. The field has zero map_keys_roles entries."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0083"
}
],
"title": "Boot Order Manipulation via VM.HVM_boot_params order"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0083"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0083",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0013 (moksha-2026-0013)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Pool-Wide OVS Fail-Mode Denial of Service via Pool.other_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network outage across every host in the pool by setting Pool.other_config:vswitch-controller-fail-mode to secure. This pool-level key serves as the default fail mode for every OVS bridge without a per-network override. Without an SDN controller - the common deployment case - all network traffic is dropped on all bridges across all hosts pool-wide, affecting every VM, management connection, and storage path in the pool.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network outage across every host in the pool by setting Pool.other_config:vswitch-controller-fail-mode to secure. This pool-level key serves as the default fail mode for every OVS bridge without a per-network override. Without an SDN controller - the common deployment case - all network traffic is dropped on all bridges across all hosts pool-wide, affecting every VM, management connection, and storage path in the pool."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0013"
}
],
"title": "Pool-Wide OVS Fail-Mode Denial of Service via Pool.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0013"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0013",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0075 (moksha-2026-0075)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Memory Ratio Bounds Relaxation via Pool.other_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can relax memory ratio bounds for all VMs by writing extreme values to Pool.other_config:memory-ratio-hvm and memory-ratio-pv. These keys define the lower bound ratio for memory-dynamic-min relative to memory-static-max (default 0.25). Setting to 0 allows VMs to have near-zero dynamic minimum memory, causing guest OS instability or crashes pool-wide when the balloon driver reclaims memory. No range validation exists. The field has no map_keys_roles entries for infrastructure keys.
Severity
4.9 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can relax memory ratio bounds for all VMs by writing extreme values to Pool.other_config:memory-ratio-hvm and memory-ratio-pv. These keys define the lower bound ratio for memory-dynamic-min relative to memory-static-max (default 0.25). Setting to 0 allows VMs to have near-zero dynamic minimum memory, causing guest OS instability or crashes pool-wide when the balloon driver reclaims memory. No range validation exists. The field has no map_keys_roles entries for infrastructure keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0075"
}
],
"title": "Memory Ratio Bounds Relaxation via Pool.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0075"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0075",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0041 (moksha-2026-0041)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Rolling Upgrade State Injection via Pool.other_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a fake rolling upgrade state by writing the rolling_upgrade_in_progress key to Pool.other_config. The mere presence of this key causes helpers.ml to return true, disabling version compatibility checks, altering pool behavior during operations, and preventing detection of version mismatches across the pool. The key has no map_keys_roles protection and no write-time validation.
Severity
6.5 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a fake rolling upgrade state by writing the rolling_upgrade_in_progress key to Pool.other_config. The mere presence of this key causes helpers.ml to return true, disabling version compatibility checks, altering pool behavior during operations, and preventing detection of version mismatches across the pool. The key has no map_keys_roles protection and no write-time validation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0041"
}
],
"title": "Rolling Upgrade State Injection via Pool.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0041"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0041",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0074 (moksha-2026-0074)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
GC and Coalesce Disablement via SR.other_config
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable garbage collection and VHD coalescing on any SR by setting gc=false and/or coalesce=false in SR.other_config. The SM garbage collector reads these keys at cleanup.py:2052 and cleanup.py:2090. When disabled, orphan VDIs accumulate consuming storage, and VHD chains grow unbounded degrading I/O performance until chain-length errors occur. The disablement is silent - no alert, no log, no expiration. The field has no map_keys_roles entries for infrastructure keys.
Severity
4.9 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable garbage collection and VHD coalescing on any SR by setting gc=false and/or coalesce=false in SR.other_config. The SM garbage collector reads these keys at cleanup.py:2052 and cleanup.py:2090. When disabled, orphan VDIs accumulate consuming storage, and VHD chains grow unbounded degrading I/O performance until chain-length errors occur. The disablement is silent - no alert, no log, no expiration. The field has no map_keys_roles entries for infrastructure keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0074"
}
],
"title": "GC and Coalesce Disablement via SR.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0074"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0074",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0088 (moksha-2026-0088)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Int64 Overflow in bytes_per_interval via VIF.qos_algorithm_params
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params kbps and timeslice_us values that cause Int64 overflow in the bytes_per_interval computation at device.ml:835-845. OCaml silently wraps on integer overflow, producing unexpected rate values. xenopsd bounds checking catches most overflow results, but edge cases where the wrapped value falls within the valid range produce rate limits unrelated to the configured kbps. The field has zero map_keys_roles entries.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params kbps and timeslice_us values that cause Int64 overflow in the bytes_per_interval computation at device.ml:835-845. OCaml silently wraps on integer overflow, producing unexpected rate values. xenopsd bounds checking catches most overflow results, but edge cases where the wrapped value falls within the valid range produce rate limits unrelated to the configured kbps. The field has zero map_keys_roles entries."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0088"
}
],
"title": "Int64 Overflow in bytes_per_interval via VIF.qos_algorithm_params"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0088"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0088",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0068 (moksha-2026-0068)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Guest Xenstore Data Injection via VM.platform Map
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire map is written to guest-visible xenstore at /local/domain/<domid>/platform/ during domain creation (domain.ml:486). Guest OSes and guest agents treat all platform xenstore entries as trusted hypervisor configuration. There is no filtering, no key whitelist for guest visibility, and no map_keys_roles protection. Injected keys are indistinguishable from legitimate hypervisor configuration.
Severity
5.3 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire map is written to guest-visible xenstore at /local/domain/\u003cdomid\u003e/platform/ during domain creation (domain.ml:486). Guest OSes and guest agents treat all platform xenstore entries as trusted hypervisor configuration. There is no filtering, no key whitelist for guest visibility, and no map_keys_roles protection. Injected keys are indistinguishable from legitimate hypervisor configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0068"
}
],
"title": "Guest Xenstore Data Injection via VM.platform Map"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0068"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0068",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0079 (moksha-2026-0079)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Network Sharing Bypass via Network.other_config assume_network_is_shared
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can bypass network locality checks by setting assume_network_is_shared=true in Network.other_config. The key is checked at xapi_network_attach_helpers.ml:132-133. When set, XAPI treats the network as shared across all hosts regardless of actual PIF connectivity, allowing VMs to start on hosts without network infrastructure. This causes VIF attachment failures or silent connectivity loss. The field has no map_keys_roles entries for infrastructure keys.
Severity
4.1 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can bypass network locality checks by setting assume_network_is_shared=true in Network.other_config. The key is checked at xapi_network_attach_helpers.ml:132-133. When set, XAPI treats the network as shared across all hosts regardless of actual PIF connectivity, allowing VMs to start on hosts without network infrastructure. This causes VIF attachment failures or silent connectivity loss. The field has no map_keys_roles entries for infrastructure keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0079"
}
],
"title": "Network Sharing Bypass via Network.other_config assume_network_is_shared"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0079"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0079",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0029 (moksha-2026-0029)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
SR-IOV VIF Whitelist Bypass via VIF.other_config
Summary
On SR-IOV-backed VIFs in XAPI-based hypervisors (XenServer, XCP-ng), all VIF.other_config keys bypass the whitelist filter and are written unfiltered to guest-readable xenstore. The standard VIF path (Device.Vif.add) applies a 7-key whitelist; the SR-IOV path (Device.NetSriovVf.add) does not apply this filter. This breaks security equivalence between standard and SR-IOV VIFs, allowing a vm-admin to inject arbitrary key-value pairs into guest-readable xenstore on SR-IOV networks.
Severity
CWE
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "On SR-IOV-backed VIFs in XAPI-based hypervisors (XenServer, XCP-ng), all VIF.other_config keys bypass the whitelist filter and are written unfiltered to guest-readable xenstore. The standard VIF path (Device.Vif.add) applies a 7-key whitelist; the SR-IOV path (Device.NetSriovVf.add) does not apply this filter. This breaks security equivalence between standard and SR-IOV VIFs, allowing a vm-admin to inject arbitrary key-value pairs into guest-readable xenstore on SR-IOV networks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0029"
}
],
"title": "SR-IOV VIF Whitelist Bypass via VIF.other_config"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0029"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0029",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0011 (moksha-2026-0011)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
VIF Backend VM Hijack via Network.other_config backend_vm
Summary
A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all VIF traffic on a network through an attacker-controlled VM by setting Network.other_config:backend_vm to a VM UUID they control. XAPI reads this key in xapi_xenops.ml and returns Network.Remote(backend_vm, bridge) instead of Network.Local(bridge) for all subsequent VIF creations on that network. All VMs connected to the network have their traffic routed through the attacker VM, enabling traffic interception, credential sniffing, and man-in-the-middle attacks.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all VIF traffic on a network through an attacker-controlled VM by setting Network.other_config:backend_vm to a VM UUID they control. XAPI reads this key in xapi_xenops.ml and returns Network.Remote(backend_vm, bridge) instead of Network.Local(bridge) for all subsequent VIF creations on that network. All VMs connected to the network have their traffic routed through the attacker VM, enabling traffic interception, credential sniffing, and man-in-the-middle attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0011"
}
],
"title": "VIF Backend VM Hijack via Network.other_config backend_vm"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0011"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0011",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0067 (moksha-2026-0067)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Cross-Pool Metadata Injection via VDI.xenstore_data on Pool Join
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data on a source pool, and the poisoned metadata crosses into a target pool during pool join or cross-pool migration. The pool join code at xapi_pool.ml:1215 copies VDI records including xenstore_data without re-validation or sanitization. This enables a compromised vm-admin on one pool to inject attacker-controlled storage metadata into a separate, previously uncompromised pool.
Severity
5.3 (Medium)
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data on a source pool, and the poisoned metadata crosses into a target pool during pool join or cross-pool migration. The pool join code at xapi_pool.ml:1215 copies VDI records including xenstore_data without re-validation or sanitization. This enables a compromised vm-admin on one pool to inject attacker-controlled storage metadata into a separate, previously uncompromised pool."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0067"
}
],
"title": "Cross-Pool Metadata Injection via VDI.xenstore_data on Pool Join"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0067"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0067",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
MOKSHA-2026-0084 (moksha-2026-0084)
Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
VLAI
EPSS
VEX
Title
Firmware Type Denial of Service via VM.HVM_boot_params firmware
Summary
A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disrupt VM boot by writing an invalid value to VM.HVM_boot_params:firmware or removing the key. XAPI accepts any value at write time but validates at VM start (xapi_xenops.ml:255-268), raising Server_error on invalid values. Firmware key removal causes BIOS fallback, rendering UEFI guests unbootable. The impact is limited because vm-admin already has VM.hard_shutdown capability. The field has zero map_keys_roles entries.
Severity
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Software Group | XenServer |
Affected:
all
(custom)
|
|
| Vates | XCP-ng |
Affected:
all
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "XenServer",
"vendor": "Cloud Software Group",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
},
{
"product": "XCP-ng",
"vendor": "Vates",
"versions": [
{
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakob Wolffhechel, Moksha"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disrupt VM boot by writing an invalid value to VM.HVM_boot_params:firmware or removing the key. XAPI accepts any value at write time but validates at VM start (xapi_xenops.ml:255-268), raising Server_error on invalid values. Firmware key removal causes BIOS fallback, rendering UEFI guests unbootable. The impact is limited because vm-admin already has VM.hard_shutdown capability. The field has zero map_keys_roles entries."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T06:00:00Z",
"orgId": "moksha.dk",
"shortName": "Moksha"
},
"references": [
{
"url": "https://cna.moksha.dk/MOKSHA-2026-0084"
}
],
"title": "Firmware Type Denial of Service via VM.HVM_boot_params firmware"
}
},
"cveMetadata": {
"alternateIds": [
"GCVE-117-2026-0084"
],
"assignerOrgId": "moksha.dk",
"cveId": "MOKSHA-2026-0084",
"datePublished": "2026-04-24T06:00:00Z",
"state": "PUBLISHED",
"x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}