CVE-2026-23557

Vulnerability

Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction, triggering an assert() call [1]. The vulnerability affects all Xen systems from version 4.2 onwards that use the C variant of xenstored or xenstore-stubdom built without the NDEBUG preprocessor macro defined [2]. The OCaml variant (oxenstored) and C variants built with NDEBUG are not vulnerable [2]. The default build configuration does not define NDEBUG, even for release builds [1].

Exploitation

An unprivileged domain, with no special authentication or access rights, can send a crafted XS_RESET_WATCHES request inside an open transaction [1][2]. The assert() in the transaction processing code will fail, causing xenstored to terminate [1]. No write access or user interaction is required; the attacker only needs the ability to issue Xenstore protocol commands from the guest [2].

Impact

A successful exploit causes xenstored to crash, resulting in a denial of service for all Xenstore operations [2]. This prevents any further domain administration on the host, including creating, destroying, or configuring virtual machines, until xenstored is manually restarted [2]. The crash does not affect other guest operations beyond Xenstore access.

Mitigation

Xen has released patches for the vulnerability; see the xen-unstable, Xen 4.18.x, and 4.17.x branches [2]. The fixed version information is available in the advisory [2]. Systems using the OCaml variant of Xenstore (oxenstored) or C variants built with NDEBUG defined are not affected [2]. As of the advisory publication date, no workaround is available [2].