Database Input Issues in XAPI by Xen Project
CVE-2025-58146

9.4CRITICAL

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2025-58146?

XAPI, developed by the Xen Project, has identified multiple vulnerabilities that can severely impact database operations. The first issue arises when input strings are sanitized during updates to the XAPI database, yet notifications are generated using unsanitized input, leading to termination of the database's event thread. Additionally, discrepancies between the UTF-8 encoder in XAPI, which adheres to version 3.0 of the Unicode specification, and other libraries that comply with version 3.1 can allow invalid strings to be stored in the database. As a result, such strings may cause the database to become unloaderable. Finally, there is a lack of input sanitization during Map/Set updates on objects within the database, further exposing the system to potential issues.

Affected Version(s)

XAPI Linux all

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Edwin Török from XenServer.
.