CVE-2026-23556
CRITICALoxenstored keeps quota related use counts across domain destruction
Title source: cnaDescription
When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.
References (3)
Core 3
Core References
Various Sources
http://xenbits.xen.org/xsa/advisory-483.html
Scores
CVSS v4
9.4
EPSS
0.0014
EPSS Percentile
3.5%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-281
Status
published
Products (1)
Xen/oxenstored
all
Published
Jul 09, 2026
Tracked Since
Jul 09, 2026