Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0509
Vulnerability from certfr_avis - Published: 2026-04-29 - Updated: 2026-04-29
De multiples vulnérabilités ont été découvertes dans Xen. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| XEN | Xen | Xen toutes versions utilisant XAPI sans les derniers correctifs de sécurité | ||
| XEN | Xen | Xen toutes versions incluant le correctif de sécurité XSA-419 sans le correctif xsa483-xapi.patch pour Xen XAPI oxenstored | ||
| XEN | Xen | Xen sur systèmes x86 ou Arm PVH ou HVM avec un noyau linux postérieur à 3.8 sans le correctif de sécurité xsa487-linux.patch | ||
| XEN | Xen | Xen toutes versions incluant le correctif de sécurité XSA-419 sans le correctif xsa483.patch pour Xen 4.18.x | ||
| XEN | Xen | Xen versions postérieures ou égales à 4.2 sans le correctif de sécurité xsa484.patch applicable pour Xen 4.18.x | ||
| XEN | Xen | Xen versions 4.17.x et 4.18.x sans le correctif de sécurité xsa486-4.18.patch | ||
| XEN | Xen | Xen versions postérieures ou égales à 4.2 sans le correctif de sécurité xsa484-4.17.patch applicable pour Xen 4.17.x | ||
| XEN | Xen | Xen avec un noyau linux postérieur à 4.12 sans le correctif de sécurité xsa485-linux.patch | ||
| XEN | Xen | Xen versions 4.19.x sans le correctif de sécurité xsa486.patch | ||
| XEN | Xen | Xen toutes versions incluant le correctif de sécurité XSA-419 sans le correctif xsa483-4.17.patch pour Xen 4.17.x |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen toutes versions utilisant XAPI sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen toutes versions incluant le correctif de s\u00e9curit\u00e9 XSA-419 sans le correctif xsa483-xapi.patch pour Xen XAPI oxenstored",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen sur syst\u00e8mes x86 ou Arm PVH ou HVM avec un noyau linux post\u00e9rieur \u00e0 3.8 sans le correctif de s\u00e9curit\u00e9 xsa487-linux.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen toutes versions incluant le correctif de s\u00e9curit\u00e9 XSA-419 sans le correctif xsa483.patch pour Xen 4.18.x",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions post\u00e9rieures ou \u00e9gales \u00e0 4.2 sans le correctif de s\u00e9curit\u00e9 xsa484.patch applicable pour Xen 4.18.x",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.17.x et 4.18.x sans le correctif de s\u00e9curit\u00e9 xsa486-4.18.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions post\u00e9rieures ou \u00e9gales \u00e0 4.2 sans le correctif de s\u00e9curit\u00e9 xsa484-4.17.patch applicable pour Xen 4.17.x",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen avec un noyau linux post\u00e9rieur \u00e0 4.12 sans le correctif de s\u00e9curit\u00e9 xsa485-linux.patch ",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.19.x sans le correctif de s\u00e9curit\u00e9 xsa486.patch ",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen toutes versions incluant le correctif de s\u00e9curit\u00e9 XSA-419 sans le correctif xsa483-4.17.patch pour Xen 4.17.x",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2026-23559",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23559"
},
{
"name": "CVE-2026-42486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42486"
},
{
"name": "CVE-2026-23558",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23558"
},
{
"name": "CVE-2026-23556",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23556"
},
{
"name": "CVE-2026-31786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31786"
},
{
"name": "CVE-2026-23561",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23561"
},
{
"name": "CVE-2026-23557",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23557"
},
{
"name": "CVE-2026-23560",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23560"
},
{
"name": "CVE-2026-23562",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23562"
}
],
"initial_release_date": "2026-04-29T00:00:00",
"last_revision_date": "2026-04-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0509",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-484",
"url": "https://xenbits.xen.org/xsa/advisory-484.html"
},
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-489",
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
},
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-485",
"url": "https://xenbits.xen.org/xsa/advisory-485.html"
},
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-486",
"url": "https://xenbits.xen.org/xsa/advisory-486.html"
},
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-487",
"url": "https://xenbits.xen.org/xsa/advisory-487.html"
},
{
"published_at": "2026-04-28",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-483",
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
}
]
}
CVE-2026-23556 (GCVE-0-2026-23556)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:48 – Updated: 2026-07-09 15:37
VLAI
EPSS
VEX
Title
oxenstored keeps quota related use counts across domain destruction
Summary
When oxenstored is tearing a domain down, the node data is cleaned up
but the usage counts are leaked.
When the domain ID is eventually reused, the new domain can create fewer
nodes before beeing deemed to be over quota.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper preservation of permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | oxenstored |
Affected:
all
|
Credits
This issue was discovered by Andrii Sultanov of Vates.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:06:25.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-483.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:34:22.728700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:37:46.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "oxenstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eWhen oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.\u003c/pre\u003e"
}
],
"value": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota."
}
],
"impacts": [
{
"capecId": "CAPEC-548",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-548 Contaminate Resource"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper preservation of permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:48:56.630Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "oxenstored keeps quota related use counts across domain destruction",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23556",
"datePublished": "2026-07-09T14:48:56.630Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T15:37:46.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23557 (GCVE-0-2026-23557)
Vulnerability from cvelistv5 – Published: 2026-05-19 12:49 – Updated: 2026-05-19 14:42
VLAI
EPSS
VEX
Title
Xenstored DoS via XS_RESET_WATCHES command
Summary
Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES
command within a transaction due to an assert() triggering.
In case xenstored was built with NDEBUG #defined nothing bad will
happen, as assert() is doing nothing in this case. Note that the
default is not to define NDEBUG for xenstored builds even in release
builds of Xen.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
Date Public
2026-04-28 12:00
Credits
This issue was discovered by Andrii Sultanov of Vates.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T13:06:41.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/11"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-484.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T14:42:12.994792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T14:42:45.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-484"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen systems from Xen 4.2 onwards are vulnerable. Systems up to\nXen 4.1 are not vulnerable.\n\nSystems using the C variant of xenstored or xenstore-stubdom built\nwithout NDEBUG are vulnerable. Systems using the OCaml variant of\nXenstore (oxenstored), or the C variant (xenstored or xenstore-stubdom)\nbuilt with NDEBUG defined are not vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"datePublic": "2026-04-28T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES\ncommand within a transaction due to an assert() triggering.\n\nIn case xenstored was built with NDEBUG #defined nothing bad will\nhappen, as assert() is doing nothing in this case. Note that the\ndefault is not to define NDEBUG for xenstored builds even in release\nbuilds of Xen."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:49:42.202Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-484.html"
}
],
"title": "Xenstored DoS via XS_RESET_WATCHES command",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation available."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23557",
"datePublished": "2026-05-19T12:49:42.202Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-05-19T14:42:45.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23558 (GCVE-0-2026-23558)
Vulnerability from cvelistv5 – Published: 2026-05-19 12:49 – Updated: 2026-05-20 03:55
VLAI
EPSS
VEX
Title
grant table v2 race in status page mapping
Summary
The adjustments made for XSA-379 as well as those subsequently becoming
XSA-387 still left a race window, when a HVM or PVH guest does a grant
table version change from v2 to v1 in parallel with mapping the status
page(s) via XENMEM_add_to_physmap. Some of the status pages may then be
freed while mappings of them would still be inserted into the guest's
secondary (P2M) page tables.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2026-04-28 12:00
Credits
This issue was discovered by Claude Opus 4.6 and diagnosed as a security
issue by Rafal Wojtczuk.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T13:06:51.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/13"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-486.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T03:55:35.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-486"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and\nolder are not affected.\n\nOnly x86 HVM and PVH guests permitted to use grant table version 2\ninterfaces can leverage this vulnerability. x86 PV guests cannot\nleverage this vulnerability. On Arm, grant table v2 use is explicitly\nunsupported."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Claude Opus 4.6 and diagnosed as a security\nissue by Rafal Wojtczuk."
}
],
"datePublic": "2026-04-28T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The adjustments made for XSA-379 as well as those subsequently becoming\nXSA-387 still left a race window, when a HVM or PVH guest does a grant\ntable version change from v2 to v1 in parallel with mapping the status\npage(s) via XENMEM_add_to_physmap. Some of the status pages may then be\nfreed while mappings of them would still be inserted into the guest\u0027s\nsecondary (P2M) page tables."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, information leaks, and Denial of Service (DoS) up\nto affecting the entire host cannot be excluded."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:49:54.652Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-486.html"
}
],
"title": "grant table v2 race in status page mapping",
"workarounds": [
{
"lang": "en",
"value": "Using the \"gnttab=max-ver:1\" hypervisor command line option will avoid\nthe vulnerability.\n\nUsing the \"max_grant_version=1\" guest configuration option for HVM and PVH\nguests will also avoid the vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23558",
"datePublished": "2026-05-19T12:49:54.652Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-05-20T03:55:35.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23559 (GCVE-0-2026-23559)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:09 – Updated: 2026-07-09 16:02
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-29 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:02:25.587757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:02:32.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-29T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n \u003ca href=\"https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\"\u003ehttps://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003c/a\u003e\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write.\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles \n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:09:51.762Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23559",
"datePublished": "2026-07-09T15:09:51.762Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:02:32.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23560 (GCVE-0-2026-23560)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:12 – Updated: 2026-07-09 16:08
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:08:07.196380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:08:13.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:12:00.013Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23560",
"datePublished": "2026-07-09T15:12:00.013Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:08:13.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23561 (GCVE-0-2026-23561)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:13 – Updated: 2026-07-09 16:08
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:08:36.337261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:08:43.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:13:50.370Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23561",
"datePublished": "2026-07-09T15:13:22.160Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:08:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23562 (GCVE-0-2026-23562)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:15 – Updated: 2026-07-09 16:16
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:16:08.484324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:16:14.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:15:24.093Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23562",
"datePublished": "2026-07-09T15:15:24.093Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:16:14.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31786 (GCVE-0-2026-31786)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI
EPSS
VEX
Title
Buffer overflow in drivers/xen/sys-hypervisor.c
Summary
In the Linux kernel, the following vulnerability has been resolved:
Buffer overflow in drivers/xen/sys-hypervisor.c
The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.
The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.
00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017
So use a memcpy instead of sprintf to have the correct value:
00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014
(the above have a hack to embed a zero inside and check it's
returned correctly).
This is XSA-485 / CVE-2026-31786
Severity
7.8 (High)
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
84b7625728ea311ea35bdaa0eded53c1c56baeaa , < e3af585e1728c917682b6a3de9a69b41fb9194d4
(git)
Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 8288d031a01dbacfde3fc643f7be3d23504de64d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < f458ba102da97fafca106327086fc95f3fc764cb (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 4b4defd2fce3f966c25adabf46644a85558f1169 (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < d5f59216650c51e5e3fcb7517c825bc8047f60ef (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 27fdbab4221b375de54bf91919798d88520c6e28 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 5.10.254 , ≤ 5.10.* (semver) Unaffected: 5.15.204 , ≤ 5.15.* (semver) Unaffected: 6.1.170 , ≤ 6.1.* (semver) Unaffected: 6.6.137 , ≤ 6.6.* (semver) Unaffected: 6.12.85 , ≤ 6.12.* (semver) Unaffected: 6.18.26 , ≤ 6.18.* (semver) Unaffected: 7.0.3 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:32.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/12"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-485.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3af585e1728c917682b6a3de9a69b41fb9194d4",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "8288d031a01dbacfde3fc643f7be3d23504de64d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "f458ba102da97fafca106327086fc95f3fc764cb",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "4b4defd2fce3f966c25adabf46644a85558f1169",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "d5f59216650c51e5e3fcb7517c825bc8047f60ef",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "52cecff98bda2c51eed1c6ce9d21c5d6268fb19d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "27fdbab4221b375de54bf91919798d88520c6e28",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it\u0027s\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:38.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4"
},
{
"url": "https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d"
},
{
"url": "https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb"
},
{
"url": "https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169"
},
{
"url": "https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a"
},
{
"url": "https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef"
},
{
"url": "https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d"
},
{
"url": "https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28"
}
],
"title": "Buffer overflow in drivers/xen/sys-hypervisor.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31786",
"datePublished": "2026-04-30T10:31:28.293Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:38.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI
EPSS
VEX
Title
xen/privcmd: fix double free via VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d71f513985c22f1050295d1a7e4327cf9fb060da , < dbf862ce9f009128ab86b234d91413a3e450beb4
(git)
Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2b985d3a024b9e8c24e21671b34e855569763808 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 1576ff3869cbd3620717195f971c85b7d7fd62b5 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 402d84ad9e89bd4cbfd07ca8598532b7021daf95 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2894a351fe2ea8684919d36df3188b9a35e3926f (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 71bf829800758a6e3889096e4754ef47ba7fc850 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 24daca4fc07f3ff8cd0e3f629cd982187f48436a (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.254 , ≤ 5.10.* (semver) Unaffected: 5.15.204 , ≤ 5.15.* (semver) Unaffected: 6.1.170 , ≤ 6.1.* (semver) Unaffected: 6.6.137 , ≤ 6.6.* (semver) Unaffected: 6.12.85 , ≤ 6.12.* (semver) Unaffected: 6.18.26 , ≤ 6.18.* (semver) Unaffected: 7.0.3 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:41.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:41.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42486 (GCVE-0-2026-42486)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:16 – Updated: 2026-07-09 16:16
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:16:29.894886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:16:34.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:16:34.880Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42486",
"datePublished": "2026-07-09T15:16:34.880Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-07-09T16:16:34.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…