Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command

[Xen.org security team <security () xen org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2026-23557 / XSA-484
                               version 2

              Xenstored DoS via XS_RESET_WATCHES command

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES
command within a transaction due to an assert() triggering.

In case xenstored was built with NDEBUG #defined nothing bad will
happen, as assert() is doing nothing in this case. Note that the
default is not to define NDEBUG for xenstored builds even in release
builds of Xen.

IMPACT
======

Any unprivileged domain can cause xenstored to crash, causing a
DoS (denial of service) for any Xenstore action. This will result
in an inability to perform further domain administration on the host.

VULNERABLE SYSTEMS
==================

All Xen systems from Xen 4.2 onwards are vulnerable. Systems up to
Xen 4.1 are not vulnerable.

Systems using the C variant of xenstored or xenstore-stubdom built
without NDEBUG are vulnerable. Systems using the OCaml variant of
Xenstore (oxenstored), or the C variant (xenstored or xenstore-stubdom)
built with NDEBUG defined are not vulnerable.

MITIGATION
==========

There is no known mitigation available.

CREDITS
=======

This issue was discovered by Andrii Sultanov of Vates.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa484.patch           xen-unstable - Xen 4.18.x
xsa484-4.17.patch      Xen 4.17.x

$ sha256sum xsa484*
77c489191d40acd807eb19344a0e1bbb67a04551e89aff726fbb2006f235aacf  xsa484.patch
6c8d8146d136956c59ee77da6aa6340272d1ea670a6b0d9cf37fe759d4b96b19  xsa484-4.17.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZGVoIALBKECpaWxXD7ivkbFpFlmt9a2TOXxnD1LjbSnzI
VAdyFECK4ng0uRaUXHMcd0Dkzw+dOrm/SA7jI+brumyyxsO44eLz5fysAQYXDHca
qsn5h7To34Fow8ejQIt1E9DmqNlZP7Y261MhYSdWN6Z2lEa4cMPyJKA/xTpQ2uUq
Cy9Ss7jrl/v98MOZb2Tkn+H8XiNsPJb57sWeaOPoUMh+42y/5qMyRgqWa3/N3iHn
ZVZEhTbrNvGYKW+DUq5KswUjxw9FAmtQ1PA/w3ItWWdsb0Gd8AE02FzdIuoIt/xk
zB9BEchspV1Gfouz0alFV+d4gDyclQmmViYojNfXYfKdWp8=
=j/SA
-----END PGP SIGNATURE-----

Attachment: xsa484.patch
Description:

Attachment: xsa484-4.17.patch
Description: