Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    99 vulnerabilities by Cloud Software Group

    MOKSHA-2026-0047 (moksha-2026-0047)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    DNS Search Domain Injection via PIF.other_config domain
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary DNS search domains into the host resolver configuration by writing to PIF.other_config:domain. The nm.ml module reads this key, splits on commas, and passes the resulting domain list to xcp-networkd with no validation. Injected search domains cause unqualified hostname lookups to resolve through attacker-controlled domains, enabling DNS hijack of internal service discovery.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-862 - Missing Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary DNS search domains into the host resolver configuration by writing to PIF.other_config:domain. The nm.ml module reads this key, splits on commas, and passes the resulting domain list to xcp-networkd with no validation. Injected search domains cause unqualified hostname lookups to resolve through attacker-controlled domains, enabling DNS hijack of internal service discovery."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0047"
            }
          ],
          "title": "DNS Search Domain Injection via PIF.other_config domain"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0047"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0047",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0006 (moksha-2026-0006)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Storage Migration Redirection via VDI.other_config maps_to
    Summary
    The maps_to key in VDI.other_config in XAPI-based hypervisors (XenServer, XCP-ng) is used during cross-pool migration to map local VDIs to remote destinations. An attacker with root access (via BOC-1) can modify maps_to in the XAPI database mid-migration, redirecting disk operations to an attacker-controlled VDI. The import code reads the modified value via Ref.of_string() with no validation, enabling cross-tenant data exfiltration and data corruption during live migration.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-862 - Missing Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The maps_to key in VDI.other_config in XAPI-based hypervisors (XenServer, XCP-ng) is used during cross-pool migration to map local VDIs to remote destinations. An attacker with root access (via BOC-1) can modify maps_to in the XAPI database mid-migration, redirecting disk operations to an attacker-controlled VDI. The import code reads the modified value via Ref.of_string() with no validation, enabling cross-tenant data exfiltration and data corruption during live migration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0006"
            }
          ],
          "title": "Storage Migration Redirection via VDI.other_config maps_to"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0006"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0006",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0076 (moksha-2026-0076)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Network Offload Disablement via PIF.other_config ethtool Keys
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC hardware offload features on any physical interface by writing ethtool-gro=off, ethtool-tso=off, etc. to PIF.other_config. These keys are consumed at nm.ml:45-110 and applied via xcp-networkd. Disabling offloads forces software packet processing, degrading performance for all VMs and management traffic. The ethtool-gro key overrides the PIF.properties:gro first-class field via a backward compatibility path. PIF.other_config has zero map_keys_roles entries and highest merge precedence in the other_config chain.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC hardware offload features on any physical interface by writing ethtool-gro=off, ethtool-tso=off, etc. to PIF.other_config. These keys are consumed at nm.ml:45-110 and applied via xcp-networkd. Disabling offloads forces software packet processing, degrading performance for all VMs and management traffic. The ethtool-gro key overrides the PIF.properties:gro first-class field via a backward compatibility path. PIF.other_config has zero map_keys_roles entries and highest merge precedence in the other_config chain."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0076"
            }
          ],
          "title": "Network Offload Disablement via PIF.other_config ethtool Keys"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0076"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0076",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0066 (moksha-2026-0066)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Metadata Propagation via VDI Snapshot and Clone Operations
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data before a snapshot or clone operation, causing malicious data to propagate to all descendant VDI records. The snapshot/clone code at xapi_vdi.ml:861-862 copies the parent xenstore_data to the new VDI without re-validation. A single injection fans out through the entire hierarchy. The propagation is permanent - removing the injection from the parent does not clean existing descendants.
    CWE
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data before a snapshot or clone operation, causing malicious data to propagate to all descendant VDI records. The snapshot/clone code at xapi_vdi.ml:861-862 copies the parent xenstore_data to the new VDI without re-validation. A single injection fans out through the entire hierarchy. The propagation is permanent - removing the injection from the parent does not clean existing descendants."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0066"
            }
          ],
          "title": "Metadata Propagation via VDI Snapshot and Clone Operations"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0066"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0066",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0005 (moksha-2026-0005)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    NFS Server Redirection via PBD.device_config
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can create an NFS SR with attacker-controlled server and serverpath values in PBD.device_config. The SM driver passes these values directly to mount.nfs without validation. The hypervisor mounts the attacker's NFS export as a storage repository, serving all VMs on that SR from attacker-controlled storage. The attacker controls all VM disk images, can inject malware into any VM, and exfiltrate all data written to the SR.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-918 - Server-Side Request Forgery (SSRF)
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can create an NFS SR with attacker-controlled server and serverpath values in PBD.device_config. The SM driver passes these values directly to mount.nfs without validation. The hypervisor mounts the attacker\u0027s NFS export as a storage repository, serving all VMs on that SR from attacker-controlled storage. The attacker controls all VM disk images, can inject malware into any VM, and exfiltrate all data written to the SR."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0005"
            }
          ],
          "title": "NFS Server Redirection via PBD.device_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0005"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0005",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0011 (moksha-2026-0011)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    VIF Backend VM Hijack via Network.other_config backend_vm
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all VIF traffic on a network through an attacker-controlled VM by setting Network.other_config:backend_vm to a VM UUID they control. XAPI reads this key in xapi_xenops.ml and returns Network.Remote(backend_vm, bridge) instead of Network.Local(bridge) for all subsequent VIF creations on that network. All VMs connected to the network have their traffic routed through the attacker VM, enabling traffic interception, credential sniffing, and man-in-the-middle attacks.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all VIF traffic on a network through an attacker-controlled VM by setting Network.other_config:backend_vm to a VM UUID they control. XAPI reads this key in xapi_xenops.ml and returns Network.Remote(backend_vm, bridge) instead of Network.Local(bridge) for all subsequent VIF creations on that network. All VMs connected to the network have their traffic routed through the attacker VM, enabling traffic interception, credential sniffing, and man-in-the-middle attacks."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0011"
            }
          ],
          "title": "VIF Backend VM Hijack via Network.other_config backend_vm"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0011"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0011",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0081 (moksha-2026-0081)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    I/O Polling Parameter Manipulation via VBD.other_config polling-duration
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VBD.other_config polling-duration and polling-idle-threshold to extreme values within the partially validated range. xenopsd applies these as I/O polling parameters without resource impact assessment. The accepted range includes values that produce suboptimal polling configurations, resulting in VBD performance degradation. The VBD.other_config field has zero map_keys_roles entries.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-862 - Missing Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VBD.other_config polling-duration and polling-idle-threshold to extreme values within the partially validated range. xenopsd applies these as I/O polling parameters without resource impact assessment. The accepted range includes values that produce suboptimal polling configurations, resulting in VBD performance degradation. The VBD.other_config field has zero map_keys_roles entries."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0081"
            }
          ],
          "title": "I/O Polling Parameter Manipulation via VBD.other_config polling-duration"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0081"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0081",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0086 (moksha-2026-0086)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    License Expiry Manipulation via Host.license_params expiry
    Summary
    An attacker with root access on an XAPI-based hypervisor host (XenServer, XCP-ng) can set the expiry key in Host.license_params to never or a far-future date, preventing license expiry enforcement and suppressing alerts. The license_check.ml code reads this value and treats never as no expiration. The field has the strongest XAPI access control (_R_LOCAL_ROOT_ONLY, pool_internal, DynamicRO). This is a license compliance issue - root access already grants full system control.
    CWE
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker with root access on an XAPI-based hypervisor host (XenServer, XCP-ng) can set the expiry key in Host.license_params to never or a far-future date, preventing license expiry enforcement and suppressing alerts. The license_check.ml code reads this value and treats never as no expiration. The field has the strongest XAPI access control (_R_LOCAL_ROOT_ONLY, pool_internal, DynamicRO). This is a license compliance issue - root access already grants full system control."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0086"
            }
          ],
          "title": "License Expiry Manipulation via Host.license_params expiry"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0086"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0086",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0010 (moksha-2026-0010)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Block Device Path Injection via PBD.device_config
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. A systemroot check protects the host root device, but does not protect other partitions, additional disks, remote block devices, or other VMs' local storage. Data destruction on arbitrary accessible block devices results.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. A systemroot check protects the host root device, but does not protect other partitions, additional disks, remote block devices, or other VMs\u0027 local storage. Data destruction on arbitrary accessible block devices results."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:L/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0010"
            }
          ],
          "title": "Block Device Path Injection via PBD.device_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0010"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0010",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0053 (moksha-2026-0053)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    MTU Manipulation (0-65535) via VIF.other_config
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary MTU value (0 through 65535) on any VIF by writing the mtu key in VIF.other_config. The value is parsed by int_of_string at xapi_xenops.ml:773 with no range validation and applied via ip link set. Extreme MTU values cause network disruption including packet fragmentation, dropped frames, and connectivity failures.
    CWE
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary MTU value (0 through 65535) on any VIF by writing the mtu key in VIF.other_config. The value is parsed by int_of_string at xapi_xenops.ml:773 with no range validation and applied via ip link set. Extreme MTU values cause network disruption including packet fragmentation, dropped frames, and connectivity failures."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0053"
            }
          ],
          "title": "MTU Manipulation (0-65535) via VIF.other_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0053"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0053",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0041 (moksha-2026-0041)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Rolling Upgrade State Injection via Pool.other_config
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a fake rolling upgrade state by writing the rolling_upgrade_in_progress key to Pool.other_config. The mere presence of this key causes helpers.ml to return true, disabling version compatibility checks, altering pool behavior during operations, and preventing detection of version mismatches across the pool. The key has no map_keys_roles protection and no write-time validation.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a fake rolling upgrade state by writing the rolling_upgrade_in_progress key to Pool.other_config. The mere presence of this key causes helpers.ml to return true, disabling version compatibility checks, altering pool behavior during operations, and preventing detection of version mismatches across the pool. The key has no map_keys_roles protection and no write-time validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0041"
            }
          ],
          "title": "Rolling Upgrade State Injection via Pool.other_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0041"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0041",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0033 (moksha-2026-0033)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Rate Limit Bypass via VIF.qos_algorithm_params Large kbps Overflow
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params:kbps to an extremely large value that causes bytes_per_interval to exceed 0xffffffffL during computation in xenopsd. xenopsd correctly rejects the out-of-range value but does so silently with only a debug-level log. XAPI continues to show the configured rate limit in the database. The VM operates without network rate limiting while the management plane reports it as enforced.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-190 - Integer Overflow or Wraparound
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params:kbps to an extremely large value that causes bytes_per_interval to exceed 0xffffffffL during computation in xenopsd. xenopsd correctly rejects the out-of-range value but does so silently with only a debug-level log. XAPI continues to show the configured rate limit in the database. The VM operates without network rate limiting while the management plane reports it as enforced."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0033"
            }
          ],
          "title": "Rate Limit Bypass via VIF.qos_algorithm_params Large kbps Overflow"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0033"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0033",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0034 (moksha-2026-0034)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Coalesce Blocking via VDI.other_config leaf-coalesce
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can permanently block VHD leaf coalesce operations on any VDI by setting VDI.other_config:leaf-coalesce to false. The SM garbage collector reads this key and skips leaf coalesce when the value is false. Snapshot chains grow unbounded, consuming storage until the SR reaches capacity or the VHD chain exceeds maximum depth. The same mechanism allows disabling all garbage collection via gc=false or coalesce=false. These keys have no per-key RBAC protection.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-400 - Uncontrolled Resource Consumption
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can permanently block VHD leaf coalesce operations on any VDI by setting VDI.other_config:leaf-coalesce to false. The SM garbage collector reads this key and skips leaf coalesce when the value is false. Snapshot chains grow unbounded, consuming storage until the SR reaches capacity or the VHD chain exceeds maximum depth. The same mechanism allows disabling all garbage collection via gc=false or coalesce=false. These keys have no per-key RBAC protection."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0034"
            }
          ],
          "title": "Coalesce Blocking via VDI.other_config leaf-coalesce"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0034"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0034",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0002 (moksha-2026-0002)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Storage Protocol Injection via sm_config
    Summary
    A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can write arbitrary key-value pairs to VDI.sm_config and SR.sm_config. These fields store internal storage driver state including VHD chain metadata, GC control flags, and encryption key hashes. XAPI performs zero validation and never notifies the storage backend. SM drivers consume the attacker's data as authoritative internal state, turning the hypervisor into a silent proxy that forwards corrupted commands to the storage subsystem through the trusted management channel. Seven exploitation scenarios are confirmed with live evidence including VHD chain severance, SR-wide crash, GC misdirection, and storage saturation.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-862 - Missing Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can write arbitrary key-value pairs to VDI.sm_config and SR.sm_config. These fields store internal storage driver state including VHD chain metadata, GC control flags, and encryption key hashes. XAPI performs zero validation and never notifies the storage backend. SM drivers consume the attacker\u0027s data as authoritative internal state, turning the hypervisor into a silent proxy that forwards corrupted commands to the storage subsystem through the trusted management channel. Seven exploitation scenarios are confirmed with live evidence including VHD chain severance, SR-wide crash, GC misdirection, and storage saturation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0002"
            }
          ],
          "title": "Storage Protocol Injection via sm_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0002"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0002",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0055 (moksha-2026-0055)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    set_other_config RBAC Bypass for PCI Passthrough Key
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can bypass the pool-admin-restricted pci key in VM.other_config by using VM.set_other_config instead of VM.add_to_other_config. The set_other_config method replaces the entire map atomically without checking per-key RBAC (map_keys_roles). This allows a vm-admin to assign PCI devices to a VM, granting the guest direct DMA access to host memory regions. The bypass is acknowledged in datamodel.ml:614-624 as a known architectural limitation.
    CWE
    • CWE-863 - Incorrect Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can bypass the pool-admin-restricted pci key in VM.other_config by using VM.set_other_config instead of VM.add_to_other_config. The set_other_config method replaces the entire map atomically without checking per-key RBAC (map_keys_roles). This allows a vm-admin to assign PCI devices to a VM, granting the guest direct DMA access to host memory regions. The bypass is acknowledged in datamodel.ml:614-624 as a known architectural limitation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0055"
            }
          ],
          "title": "set_other_config RBAC Bypass for PCI Passthrough Key"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0055"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0055",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0018 (moksha-2026-0018)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    HA Timeout Manipulation via Pool.other_config (Split-Brain/Blindness)
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the High Availability timeout by setting Pool.other_config:default_ha_timeout to an arbitrary integer. The value is read by xapi_ha.ml via int_of_string with no range check. A timeout of 1 second causes spurious HA fencing events and cascading host reboots (split-brain). A timeout of 999999 seconds effectively disables HA, leaving host failures undetected for days and HA-protected VMs without failover. Both outcomes affect every HA-protected VM across the entire pool.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the High Availability timeout by setting Pool.other_config:default_ha_timeout to an arbitrary integer. The value is read by xapi_ha.ml via int_of_string with no range check. A timeout of 1 second causes spurious HA fencing events and cascading host reboots (split-brain). A timeout of 999999 seconds effectively disables HA, leaving host failures undetected for days and HA-protected VMs without failover. Both outcomes affect every HA-protected VM across the entire pool."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0018"
            }
          ],
          "title": "HA Timeout Manipulation via Pool.other_config (Split-Brain/Blindness)"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0018"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0018",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0012 (moksha-2026-0012)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    OVS Fail-Mode Denial of Service via Network.other_config
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network denial of service on any OVS bridge by setting Network.other_config:vswitch-controller-fail-mode to secure. In secure fail mode, OVS drops all packets when no SDN controller is reachable. Since most XAPI deployments do not configure an SDN controller, this immediately drops all traffic on the bridge, affecting every VM and management connection on that network.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network denial of service on any OVS bridge by setting Network.other_config:vswitch-controller-fail-mode to secure. In secure fail mode, OVS drops all packets when no SDN controller is reachable. Since most XAPI deployments do not configure an SDN controller, this immediately drops all traffic on the bridge, affecting every VM and management connection on that network."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0012"
            }
          ],
          "title": "OVS Fail-Mode Denial of Service via Network.other_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0012"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0012",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0077 (moksha-2026-0077)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    VIF NIC Offload Disablement via VIF.other_config ethtool Keys
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC offload features (TSO, GSO, etc.) on VIF backend devices by setting ethtool-tso=off and similar keys in VIF.other_config. The VIF hotplug script (vif-real:85-97) executes ethtool -K to disable offloads. This forces host CPU to perform software segmentation, increasing CPU utilization and degrading performance for co-located VMs. VIF.other_config has zero map_keys_roles entries - all ethtool keys are writable by vm-admin.
    CWE
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC offload features (TSO, GSO, etc.) on VIF backend devices by setting ethtool-tso=off and similar keys in VIF.other_config. The VIF hotplug script (vif-real:85-97) executes ethtool -K to disable offloads. This forces host CPU to perform software segmentation, increasing CPU utilization and degrading performance for co-located VMs. VIF.other_config has zero map_keys_roles entries - all ethtool keys are writable by vm-admin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0077"
            }
          ],
          "title": "VIF NIC Offload Disablement via VIF.other_config ethtool Keys"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0077"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0077",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0054 (moksha-2026-0054)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    MAC Address Collision via VM.other_config mac_seed
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can cause MAC address collisions by setting the mac_seed key in VM.other_config to a value copied from another VM. The MAC generation algorithm in xapi_vif_helpers.ml uses this seed deterministically. Pool-level duplicate detection exists but only runs during pool join and import, not during direct other_config writes. MAC collisions cause network connectivity failures, ARP table corruption, and traffic misdirection.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can cause MAC address collisions by setting the mac_seed key in VM.other_config to a value copied from another VM. The MAC generation algorithm in xapi_vif_helpers.ml uses this seed deterministically. Pool-level duplicate detection exists but only runs during pool join and import, not during direct other_config writes. MAC collisions cause network connectivity failures, ARP table corruption, and traffic misdirection."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0054"
            }
          ],
          "title": "MAC Address Collision via VM.other_config mac_seed"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0054"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0054",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0001 (moksha-2026-0001)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Arbitrary Host Device Mount via VBD.other_config backend-local
    Summary
    A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can mount any host block device as a guest virtual disk by writing an arbitrary filesystem path to VBD.other_config:backend-local. The attack requires a single API call, no exploit code, and produces no security alerts. The vulnerability collapses the entire XAPI RBAC hierarchy, granting root-equivalent access to the hypervisor host, cross-VM data exfiltration, credential theft, SSH backdoor injection, and lateral movement across shared storage.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can mount any host block device as a guest virtual disk by writing an arbitrary filesystem path to VBD.other_config:backend-local. The attack requires a single API call, no exploit code, and produces no security alerts. The vulnerability collapses the entire XAPI RBAC hierarchy, granting root-equivalent access to the hypervisor host, cross-VM data exfiltration, credential theft, SSH backdoor injection, and lateral movement across shared storage."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0001"
            }
          ],
          "title": "Arbitrary Host Device Mount via VBD.other_config backend-local"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0001"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0001",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0025 (moksha-2026-0025)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations, but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. This is an SR-level variant of the SMC-1 storage protocol injection vector.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations, but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. This is an SR-level variant of the SMC-1 storage protocol injection vector."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0025"
            }
          ],
          "title": "Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0025"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0025",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0069 (moksha-2026-0069)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Hypervisor Security Feature Manipulation via VM.platform (nx/hap)
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable CPU security features by writing to VM.platform keys. Setting nx=false removes DEP protection, hap=false forces shadow paging, nested-virt=true expands the hypervisor attack surface, and extreme max_grant_frames/max_maptrack_frames values cause resource exhaustion. The field has zero map_keys_roles entries - all security-critical hypervisor keys are writable by the lowest delegated management role.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable CPU security features by writing to VM.platform keys. Setting nx=false removes DEP protection, hap=false forces shadow paging, nested-virt=true expands the hypervisor attack surface, and extreme max_grant_frames/max_maptrack_frames values cause resource exhaustion. The field has zero map_keys_roles entries - all security-critical hypervisor keys are writable by the lowest delegated management role."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0069"
            }
          ],
          "title": "Hypervisor Security Feature Manipulation via VM.platform (nx/hap)"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0069"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0069",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0036 (moksha-2026-0036)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    LVM Configuration Injection via SR.other_config lvm-conf
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary LVM configuration by setting SR.other_config:lvm-conf to a crafted value. The value is interpolated into --config devices{VALUE} in LVM commands executed by SM drivers without sanitization. The LVM --config parameter accepts arbitrary configuration overrides including device filter rules, enabling device filter manipulation that affects which block devices LVM operates on across storage repositories.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary LVM configuration by setting SR.other_config:lvm-conf to a crafted value. The value is interpolated into --config devices{VALUE} in LVM commands executed by SM drivers without sanitization. The LVM --config parameter accepts arbitrary configuration overrides including device filter rules, enabling device filter manipulation that affects which block devices LVM operates on across storage repositories."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 7.0,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-88",
                  "description": "Improper Neutralization of Argument Delimiters in a Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0036"
            }
          ],
          "title": "LVM Configuration Injection via SR.other_config lvm-conf"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0036"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0036",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0050 (moksha-2026-0050)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    LUNperVDI Mode Manipulation via SR.sm_config
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt the VDI management mode of a storage repository by adding or removing the LUNperVDI key in SR.sm_config. This key controls whether the SR maps one LUN per VDI or uses shared LUNs with VHD containers. Mode mismatch causes VDI creation, deletion, and scanning failures. The sm_config field has zero map_keys_roles entries and remains writable after SR creation despite being intended as driver-managed metadata.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt the VDI management mode of a storage repository by adding or removing the LUNperVDI key in SR.sm_config. This key controls whether the SR maps one LUN per VDI or uses shared LUNs with VHD containers. Mode mismatch causes VDI creation, deletion, and scanning failures. The sm_config field has zero map_keys_roles entries and remains writable after SR creation despite being intended as driver-managed metadata."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0050"
            }
          ],
          "title": "LUNperVDI Mode Manipulation via SR.sm_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0050"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0050",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0008 (moksha-2026-0008)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Storage Driver Domain PBD Detach DoS via VM.other_config
    Summary
    A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can inject a PBD reference into VM.other_config:storage_driver_domain. When the VM is shut down, XAPI calls Storage_access.reset on the referenced PBD's SR and sets the PBD's currently_attached field to false, clearing internal storage state. When the VM starts, XAPI forces a PBD plug on the injected reference. This enables denial-of-service against arbitrary storage repositories by cycling the injected VM's lifecycle.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can inject a PBD reference into VM.other_config:storage_driver_domain. When the VM is shut down, XAPI calls Storage_access.reset on the referenced PBD\u0027s SR and sets the PBD\u0027s currently_attached field to false, clearing internal storage state. When the VM starts, XAPI forces a PBD plug on the injected reference. This enables denial-of-service against arbitrary storage repositories by cycling the injected VM\u0027s lifecycle."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0008"
            }
          ],
          "title": "Storage Driver Domain PBD Detach DoS via VM.other_config"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0008"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0008",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0032 (moksha-2026-0032)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Bidirectional Data Exfiltration via VM.xenstore_data Guest-to-XAPI-DB Sync
    Summary
    The VM.xenstore_data field in XAPI-based hypervisors (XenServer, XCP-ng) creates a bidirectional data channel between guest domains and the XAPI management database. Guest writes to vm-data/ in xenstore are read by xenopsd during periodic state synchronization and propagated into VM.xenstore_data in the XAPI database. This is the only confirmed path where a guest domain can inject data into the XAPI database without API authentication. Any API consumer reading VM.xenstore_data receives attacker-injected values.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-653 - Improper Isolation or Compartmentalization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The VM.xenstore_data field in XAPI-based hypervisors (XenServer, XCP-ng) creates a bidirectional data channel between guest domains and the XAPI management database. Guest writes to vm-data/ in xenstore are read by xenopsd during periodic state synchronization and propagated into VM.xenstore_data in the XAPI database. This is the only confirmed path where a guest domain can inject data into the XAPI database without API authentication. Any API consumer reading VM.xenstore_data receives attacker-injected values."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "Improper Isolation or Compartmentalization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0032"
            }
          ],
          "title": "Bidirectional Data Exfiltration via VM.xenstore_data Guest-to-XAPI-DB Sync"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0032"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0032",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0038 (moksha-2026-0038)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Provisioning Type Manipulation via SR.sm_config allocation
    Summary
    A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage provisioning behavior by modifying or removing the allocation key in SR.sm_config after SR creation. The key controls whether LVHD SRs use thin or thick provisioning. Changing allocation from thin to thick causes new VDIs to pre-allocate full LV size instead of thin-provisioning. On overcommitted SRs, this causes immediate storage exhaustion. Restoring the key does not shrink already-inflated LVs - recovery requires storage migration.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage provisioning behavior by modifying or removing the allocation key in SR.sm_config after SR creation. The key controls whether LVHD SRs use thin or thick provisioning. Changing allocation from thin to thick causes new VDIs to pre-allocate full LV size instead of thin-provisioning. On overcommitted SRs, this causes immediate storage exhaustion. Restoring the key does not shrink already-inflated LVs - recovery requires storage migration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0038"
            }
          ],
          "title": "Provisioning Type Manipulation via SR.sm_config allocation"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0038"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0038",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0068 (moksha-2026-0068)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Guest Xenstore Data Injection via VM.platform Map
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire map is written to guest-visible xenstore at /local/domain/<domid>/platform/ during domain creation (domain.ml:486). Guest OSes and guest agents treat all platform xenstore entries as trusted hypervisor configuration. There is no filtering, no key whitelist for guest visibility, and no map_keys_roles protection. Injected keys are indistinguishable from legitimate hypervisor configuration.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-20 - Improper Input Validation
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire map is written to guest-visible xenstore at /local/domain/\u003cdomid\u003e/platform/ during domain creation (domain.ml:486). Guest OSes and guest agents treat all platform xenstore entries as trusted hypervisor configuration. There is no filtering, no key whitelist for guest visibility, and no map_keys_roles protection. Injected keys are indistinguishable from legitimate hypervisor configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0068"
            }
          ],
          "title": "Guest Xenstore Data Injection via VM.platform Map"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0068"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0068",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0044 (moksha-2026-0044)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    QEMU -parallel Path Traversal (VM DoS) via VM.platform
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can prevent a VM from starting by injecting a path traversal payload into VM.platform:parallel. The prefix check in vm_platform.ml accepts any string starting with /dev/parport, but path traversal payloads pass the check and are forwarded to QEMU as the -parallel argument. QEMU's parport chardev backend expects a device node - the payload causes QEMU initialization failure, preventing VM startup. No host filesystem read or write capability was confirmed.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can prevent a VM from starting by injecting a path traversal payload into VM.platform:parallel. The prefix check in vm_platform.ml accepts any string starting with /dev/parport, but path traversal payloads pass the check and are forwarded to QEMU as the -parallel argument. QEMU\u0027s parport chardev backend expects a device node - the payload causes QEMU initialization failure, preventing VM startup. No host filesystem read or write capability was confirmed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0044"
            }
          ],
          "title": "QEMU -parallel Path Traversal (VM DoS) via VM.platform"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0044"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0044",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    MOKSHA-2026-0078 (moksha-2026-0078)

    Vulnerability from moksha – Published: 2026-04-24 06:00 – Updated:
    VLAI
    Title
    Guest Clock Manipulation via VDI.other_config timeoffset
    Summary
    A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the guest VM's RTC clock by setting the timeoffset key in VDI.other_config. When a VDI has on_boot=reset, the VDI-level timeoffset overrides the VM platform setting during domain creation (xapi_xenops.ml:312-327). No type validation enforces the expected integer format - arbitrary strings are accepted. Corrupted guest clock affects Windows license validation, certificate expiration, Kerberos authentication, and audit trail integrity. The field has no map_keys_roles entries for infrastructure keys.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-862 - Missing Authorization
    References
    Impacted products
    Credits
    Jakob Wolffhechel, Moksha
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "XenServer",
              "vendor": "Cloud Software Group",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "XCP-ng",
              "vendor": "Vates",
              "versions": [
                {
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakob Wolffhechel, Moksha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the guest VM\u0027s RTC clock by setting the timeoffset key in VDI.other_config. When a VDI has on_boot=reset, the VDI-level timeoffset overrides the VM platform setting during domain creation (xapi_xenops.ml:312-327). No type validation enforces the expected integer format - arbitrary strings are accepted. Corrupted guest clock affects Windows license validation, certificate expiration, Kerberos authentication, and audit trail integrity. The field has no map_keys_roles entries for infrastructure keys."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T06:00:00Z",
            "orgId": "moksha.dk",
            "shortName": "Moksha"
          },
          "references": [
            {
              "url": "https://cna.moksha.dk/MOKSHA-2026-0078"
            }
          ],
          "title": "Guest Clock Manipulation via VDI.other_config timeoffset"
        }
      },
      "cveMetadata": {
        "alternateIds": [
          "GCVE-117-2026-0078"
        ],
        "assignerOrgId": "moksha.dk",
        "cveId": "MOKSHA-2026-0078",
        "datePublished": "2026-04-24T06:00:00Z",
        "state": "PUBLISHED",
        "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned."
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }