CVE-2026-42486info

Summary

by MITRE • 07/09/2026

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerabilities described in this XAPI RBAC implementation represent a series of privilege escalation and unauthorized access issues within XenServer's role-based access control framework. These flaws demonstrate inadequate enforcement of administrative boundaries that allow lower-privilege users to perform actions typically restricted to higher-level administrators. The core issue stems from insufficient validation of user roles when processing API calls, creating opportunities for vm-admin level users to bypass expected security controls and gain unauthorized system access.

The primary technical flaw involves improper authorization checks within the XAPI subsystem where certain configuration parameters can be modified by users with roles below the required privilege level. CVE-2026-23559 specifically demonstrates how a vm-admin user can manipulate VBD.other_config:backend-local settings to convert arbitrary dom0 files into virtual disks, creating an arbitrary read and modify capability against the host operating system. This vulnerability maps directly to CWE-284 Access Control Issues and represents a critical privilege escalation vector that could lead to complete system compromise. The ability to turn dom0 filesystem objects into VDIs creates a pathway for both data exfiltration and potential code execution within the hypervisor environment.

CVE-2026-23560 exposes another authorization bypass where vm-admin users can set VM.other-config:is_system_domain, allowing them to mark virtual machines as system domains that evade normal host operations and may remain hidden from management tools. This represents a denial of service vector and potential information disclosure risk that aligns with ATT&CK technique T1484.001 for Privilege Escalation through manipulation of system processes. The vulnerability demonstrates how improper access control can allow users to manipulate system behavior in ways that could interfere with normal operations or hide malicious activity from administrators.

CVE-2026-23561 shows how vm-admin users can set VM.other_config:storage_driver_domain, creating a scenario where shutting down a VM can cause a PBD (Physical Block Device) to be incorrectly marked as unplugged. This represents an operational disruption vulnerability that could affect storage availability and data integrity, mapping to CWE-285 Authorization Issues in storage management contexts. The improper state management creates potential for cascading failures in storage operations that could impact multiple virtual machines or even the entire host system.

The remaining vulnerabilities focus on hardware access controls and system parameter modifications that should require pool-admin privileges but are accessible to vm-admin users. CVE-2026-23562 demonstrates a missing authorization check for PCI passthrough configuration, allowing vm-admin users to gain access to unintended host hardware resources that could be exploited for privilege escalation or resource exhaustion attacks. This aligns with CWE-284 Access Control Issues and represents a direct threat to system integrity and security isolation between virtual machines.

CVE-2026-42486 presents the most severe risk among the vulnerabilities, as vm-admin users can set VM.platform:hvm_serial parameters that should be restricted to pool-admin level access. This parameter allows arbitrary dom0 file writes, creating a direct path for file system manipulation and potential code execution within the host environment. The vulnerability directly maps to ATT&CK technique T1059 Command and Scripting Interpreter and CWE-284 Access Control Issues, representing a critical security flaw that could enable complete compromise of the hypervisor infrastructure.

The operational impact of these vulnerabilities extends beyond immediate privilege escalation capabilities to include potential denial of service conditions, data integrity issues, and system availability concerns. The combination of these flaws creates multiple attack vectors that could be chained together to achieve more significant compromises than any single vulnerability would permit individually. Organizations using XenServer systems should immediately implement mitigations including role re-evaluation, API access restriction enforcement, and monitoring for unauthorized configuration changes.

Mitigation strategies must include immediate patching of the affected XAPI components, implementation of additional monitoring for unauthorized configuration changes, and review of existing RBAC policies to ensure proper privilege separation. The vulnerabilities demonstrate the critical importance of maintaining strict authorization boundaries in hypervisor environments where a single compromised account with insufficient privileges could potentially lead to full system compromise through multiple attack vectors. Security teams should implement comprehensive logging of API calls related to these parameters and establish alerting mechanisms for any unauthorized modifications.

Disclosure

07/09/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!