Back to overview

CVE-2025-58146

CRITICAL
9.4
CVSS 4.0
Description
There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI uses libraries which conform to the stricter v3.1 of the Unicode spec. This causes some strings to be accepted as valid UTF-8 by XAPI, but rejected by other libraries in use. Notably, such strings can be entered into the database, after which the database can no longer be loaded. 3. There is no input sanitisation for Map/Set updates on objects in the XAPI database.

Metadata

CVE ID
CVE-2025-58146
State
PUBLISHED
Assigner
XEN
Reserved
2025-08-26 06:48 UTC
Published
2026-07-09 14:42 UTC
Last updated
2026-07-09 16:07 UTC
Primary CWE
CWE-20
CWE-20 Improper input validation
Vendor / Product
Xen / XAPI
Sources
cve.org  ·  NVD

Severity & Metrics

9.4 CRITICAL CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Xen XAPI Linux all
Weakness (CWE)
CWESourceDescription
CWE-20 cna CWE-20 Improper input validation
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.4 CRITICAL 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Back to overview