Xenstored Crash Vulnerability in Xen Project Software
CVE-2026-23557

6.5MEDIUM

Key Information:

Vendor: Xen Project
Status: Xen Project
Vendor: CVE Published:; 19 May 2026

🔔 Create Xen Project Vulnerability Alert

What is CVE-2026-23557?

A vulnerability in Xenstored allows any guest to crash the service by issuing an XS_RESET_WATCHES command within a transaction, which triggers an assert(). If NDEBUG is defined during the build, the assert() will not cause any issues, but it is essential to note that the default build configuration does not define NDEBUG. This means that in typical release builds of Xen, guests can unintentionally cause interruptions by exploiting this flaw, impacting the stability and availability of the service.

Affected Version(s)

Xen consult Xen advisory XSA-484

References

https://xenbits.xenproject.org/xsa/advisory-484.html

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Jan 14, 2026

Credit

This issue was discovered by Andrii Sultanov of Vates.

CVE-2026-23557 Data

JSON