Latest Citrix XenServer vulnerabilities (Updated April 29, 2026) #
The Xen Project (upstream) and Citrix (downstream) released separate but related advisories to address these claims. The Xen Project issued technical advisories XSA-483 through XSA-489 to address the core source code. Notably, XSA-489 serves as a direct rebuttal to the April 24 audit, concluding that only five of the 89 claims were actionable. The remainder were identified as intended RBAC functionality or, in several instances, appeared to be "AI hallucinations" within the researcher's report. Simultaneously, Citrix released Security Bulletin CTX696527 to provide specific updates and hotfixes for commercial users, focusing on the practical impact to the XenServer environments.
The following vulnerabilities have been confirmed by the vendors:
- CVE-2026-23556 (XSA-483): A flaw where oxenstored keeps quota-related use counts across domain destruction. Citrix notes this could allow a privileged user in a guest VM to cause the host to crash or become unresponsive.
- CVE-2026-23557 (XSA-484): A Denial of Service (DoS) vulnerability via the XS_RESET_WATCHES command in xenstored.
- CVE-2026-31786 (XSA-485): A Linux kernel out-of-bounds read via a Xen-related sysfs file, potentially leaking sensitive information.
- CVE-2026-23558 (XSA-486): A race condition in grant table v2 status page mapping. Citrix notes this could allow a privileged user in a guest VM to compromise the host under specific circumstances.
- CVE-2026-31787 (XSA-487): A Linux kernel double-free in the Xen privcmd driver; as it requires root privileges, the Xen Project considers the crash potential not security-relevant.
- CVE-2025-54505 (XSA-488): Addresses "Floating Point Divider State Sampling" on certain AMD CPUs. While not a XenServer software vulnerability, this update mitigates a hardware issue to prevent a guest VM from inferring data from a different VM.
- XAPI RBAC Escalation (XSA-489): This advisory confirms five actionable vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. Citrix warns that the first three in particular may allow host administrators to gain access beyond the limits of their assigned RBAC role.
The following versions of Citrix Hypervisor / XenServer are affected:
- Citrix XenServer version 8.4
Note: Citrix XenServer 9.x is currently in Public Preview and not covered by standard security bulletins; as such, it may be affected by these issues.
Initial Advisory (April 24, 2026) #
On April 24, 2026, researchers publicly disclosed an audit identifying 89 exploitable vulnerabilities. These issues primarily involve missing input validation across all writable Map(String,String) fields within eight XAPI object types. Consequently, an attacker with the vm-admin management role "can achieve full host filesystem read/write [access], cross-VM data exfiltration, storage protocol injection, cross-hypervisor lateral movement, and pool-wide compromise through single API calls with no exploit code, no root shell, and no security alerts." These vulnerabilities have persisted since the inception of the XAPI codebase (circa 2006). The researchers assigned the following CVSS severity distribution: 5 critical, 28 high, 46 medium, and 10 low. These vulnerabilities do not currently have CVE IDs assigned.
What is Citrix XenServer? #
Citrix XenServer, formerly known as Citrix Hypervisor, is a bare-metal hypervisor based on the open-source Xen project that enables multiple virtual machines to run concurrently on a single physical server.
What is the impact? #
Successful exploitation of the vulnerabilities allows a remote, authenticated attacker to gain unauthorized host filesystem control and breach VM isolation boundaries.
Are updates or workarounds available? #
For Citrix XenServer versions 8.4 and prior, the vendor recommends updating to the latest version of Citrix XenServer via the Early Access or Normal update channels.
Note: Citrix XenServer versions 9.x are Public Preview releases and do not receive security bulletins; therefore, users should evaluate their environment's risk and consider migrating to a stable, supported release.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
os:="Citrix XenServer"September 2024: CVE-2024-45817 #
Citrix released a security update to address vulnerabilities in their XenServer and Hypervisor virtualization products.
Citrix outlines that the following affects both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR and could allow a malicious administrator of a guest VM to cause the host to crash or become unresponsive.
- CVE-2024-45817 has not been rated, but affects how the state of the system could end up in deadlock due to a recursive call guarded by a mutex on x86's APIC (Advanced Programmable Interrupt Controller) architecture when reporting errors to a status.
- CVE-2022-24805 is not rated, but affects net-snmp and allows for a classic buffer overflow.
- CVE-2022-24809 is not rated, but affects net-snmp and allows for a NULL pointer dereference.
Both of these can be triggered by a user with read-only credentials.
What is the impact? #
The vulnerabilities may all be triggered by guest or read-only credentials which increases the likelihood of them occurring.
Are updates or workarounds available? #
Citrix recommends limiting access to management interfaces as well as upgrading to one of the following versions:
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
(product:citrix and type:hypervisor) or product:xenserver
