CVE-2026-23556

CRITICAL

oxenstored keeps quota related use counts across domain destruction

Title source: cna
STIX 2.1

Description

When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.

Scores

CVSS v4 9.4
EPSS 0.0014
EPSS Percentile 3.5%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-281
Status published
Products (1)
Xen/oxenstored all
Published Jul 09, 2026
Tracked Since Jul 09, 2026