Back to overview

CVE-2026-23556

CRITICAL
9.4
CVSS 4.0
Description
When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.

Metadata

CVE ID
CVE-2026-23556
State
PUBLISHED
Assigner
XEN
Reserved
2026-01-14 13:07 UTC
Published
2026-07-09 14:48 UTC
Last updated
2026-07-09 15:37 UTC
Primary CWE
CWE-281
CWE-281 Improper preservation of permissions
Vendor / Product
Xen / oxenstored
Sources
cve.org  ·  NVD

Severity & Metrics

9.4 CRITICAL CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Xen oxenstored all
Weakness (CWE)
CWESourceDescription
CWE-281 cna CWE-281 Improper preservation of permissions
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.4 CRITICAL 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Back to overview