[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Security readout for executives and security teams
Plain-English summary
CVE-2026-42486 is a critical XAPI RBAC flaw. A user with the vm-admin role can change VM.platform:hvm_serial, a setting intended for pool-admins, creating a path to arbitrary dom0 file writes. That can threaten the management host beneath virtual machines.
Executive priority
Treat as urgent for Xen environments with delegated administration. The business risk is host-level compromise or integrity loss from a lower-privileged admin role. Prioritize privilege review immediately, then follow Xen advisory remediation.
Technical view
XAPI inadequately restricts VM.platform:hvm_serial. The CNA states vm-admin can set this parameter although it should require pool-admin because it can allow arbitrary dom0 file write. The CVE has CVSS 4.0 score 9.4 and CWE-250. Provided affected data lists Xen XAPI, versions all.
Likely exposure
Organizations using Xen XAPI with delegated vm-admin users are the clearest exposure. Risk is higher where vm-admin is granted broadly, shared, or used by automation. The source bundle does not identify specific XenServer releases, package versions, or fixed builds.
Exploitation context
The provided bundle does not state active exploitation, and KEV is false. The issue is recent, critical, local-vector in CVSS, and tied to authorized XAPI role misuse rather than unauthenticated internet exposure. No exploit procedure is provided here.
Researcher notes
This CVE is one item in a multi-CVE XAPI RBAC advisory. Do not merge it with related issues: CVE-2026-42486 is specifically VM.platform:hvm_serial allowing arbitrary dom0 file write. Fix details are not present in the supplied bundle.
Mitigation direction
Review Xen XSA-489 and apply vendor guidance for affected XAPI deployments.
Temporarily reduce vm-admin assignments to only trusted administrators.
Audit automation accounts with vm-admin privileges.
Monitor for unexpected changes to VM.platform:hvm_serial.
Prefer pool-admin-only workflows for sensitive VM platform settings.
Validation and detection
Inventory Xen XAPI deployments and confirm where RBAC is enabled.
List users and service accounts assigned vm-admin.
Review recent changes to VM.platform:hvm_serial settings.
Check administrative logs for unexpected vm-admin configuration changes.
Track XSA-489 for fixed versions or vendor-specific instructions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-250: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-250 · source CWE mapping
Execution with Unnecessary Privileges
Execution with Unnecessary Privileges represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.