SB2026043082 - Multiple vulnerabilities in Citrix XenServer

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026043082

SB2026043082 - Multiple vulnerabilities in Citrix XenServer

Published: April 30, 2026

Security Bulletin ID SB2026043082
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Race condition (CVE-ID: CVE-2026-23558)

The vulnerability allows a remote user to escalate privileges, disclose sensitive information, or cause a denial of service.

The vulnerability exists due to a race condition in status page mapping via XENMEM_add_to_physmap when changing the grant table version from v2 to v1 in parallel with mapping status pages. A remote user can trigger concurrent grant table version changes and status page mappings to escalate privileges, disclose sensitive information, or cause a denial of service.

Only x86 HVM and PVH guests permitted to use grant table version 2 interfaces can leverage this vulnerability.


2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-23556)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper resource management in oxenstored quota use counts when tearing down and reusing domain IDs. A remote user can deliberately hit its quota and reboot a domain to cause a denial of service.

Only systems configured to use oxenstored are vulnerable.


3) Improper access control (CVE-ID: CVE-2026-23559)

The vulnerability allows a remote user to read and modify arbitrary files in dom0.

The vulnerability exists due to improper access control in VBD.other_config:backend-local handling when configuring a virtual block device. A remote user can set the backend-local option to turn arbitrary files in dom0 into virtual disks and attach them to a VM they control to read and modify arbitrary files in dom0.

The vulnerability is exposed only when RBAC is configured for the pool.


4) Improper access control (CVE-ID: CVE-2026-23560)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in VM.other-config:is_system_domain when modifying VM configuration. A remote user can mark a VM as a system domain to escalate privileges.

System domains may be ignored and left running during certain host or pool operations, and may be hidden from view in tooling.


5) Improper access control (CVE-ID: CVE-2026-23561)

The vulnerability allows a remote user to disrupt storage management operations.

The vulnerability exists due to improper access control in VM.other_config:storage_driver_domain when modifying VM configuration. A remote user can mark a VM as the storage domain for a host storage connection and shut down that VM to disrupt storage management operations.

Shutting down the VM can cause the associated PBD to be erroneously marked as unplugged when it is not. The vulnerability is exposed only when RBAC is configured for the pool.


6) Observable discrepancy (CVE-ID: CVE-2025-54505)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to transient execution in floating-point divisor unit when executing floating-point operations in privileged code. A local user can sample data from the floating-point divisor unit to disclose sensitive information.

The issue affects systems with SMT enabled as well as systems without SMT.


Remediation

Install update from vendor's website.

References