Xenstore Crash Vulnerability via Malicious Node Path Access (CVE-2026-23555)
A guest VM issuing a Xenstore command with the node path '/local/domain/' can crash xenstored (CVE-2026-23555), or, if NDEBUG is defined, cause denial of service by consuming all CPU resources.
CVE-2026-23555 details a vulnerability within the Xenstore component of the Xen hypervisor. A malicious or compromised guest virtual machine (VM) can trigger this vulnerability by issuing a Xenstore command that attempts to access a specific, illegal node path: /local/domain/. This improper node path verification leads to a clobbered error indicator within the xenstored process, ultimately causing it to crash due to a failing assert() statement.
Detection coverage 2
Detect Xenstore Access to Illegal Node Path
highDetects attempts to access the /local/domain/ node path in Xenstore commands, potentially indicating an exploitation attempt of CVE-2026-23555.
Detect High CPU Usage by Xenstored
mediumDetects high CPU usage by the xenstored process, which could indicate a denial-of-service condition related to CVE-2026-23555 when NDEBUG is defined.
Detection queries are kept inside the platform. Get full rules →