← Advisory Index « MOKSHA-2026-0021 MOKSHA-2026-0023 »

MOKSHA-2026-0022: Real-Time I/O Class Abuse via VBD.qos_algorithm_params - Cross-VM Starvation

Advisory ID	MOKSHA-2026-0022
Semantic ID	BQP-1
Published	2026-04-24
CVSS 3.1	7.5 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H`
CVSS 4.0	8.3 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N`
XAPI Object	`VBD`
XAPI Field	`qos_algorithm_params:sched`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can set the real-time I/O scheduling class on their VM's virtual block devices by writing sched=rt and class=highest to VBD.qos_algorithm_params. xenopsd invokes ionice -c1 -n0 on the VBD kernel threads, granting them strict priority over all best-effort and idle I/O across the host. This starves I/O for every other VM on the same host. The change takes effect immediately without VBD replug, requires no shell access, and produces no security alert.

Vulnerability Description

VBD.qos_algorithm_params is a Map(String, String) field writable by vm-admin. When VBD.qos_algorithm_type is set to ionice, the sched and class keys are parsed by XAPI into a qos_scheduler struct and forwarded to xenopsd.

The code path:

vm-admin sets VBD.qos_algorithm_type = "ionice" and VBD.qos_algorithm_params = {sched: "rt", class: "highest"}
XAPI parses the values at xapi_xenops.ml:595-600 into Ionice.RealTime(0)
xenopsd invokes ionice -c1 -n0 -p<kthread_pid> on all VBD kernel threads
The Linux kernel grants these threads strict real-time I/O priority
All other VMs' VBD threads (in best-effort or idle class) are starved

The field has zero per-key RBAC. No shell injection is possible (xenopsd uses execve), but the real-time I/O scheduling class provides strict priority that starves other tenants' I/O.

Hot Apply

Changes to qos_algorithm_params take effect immediately. XAPI applies the new ionice settings without requiring a VBD unplug/replug cycle or VM restart.

Root Causes

Missing RBAC protection. VBD.qos_algorithm_params has zero map_keys_roles entries. The sched key is writable by vm-admin.
Missing value validation. The real-time scheduling class (sched=rt) is accepted without any role check. No policy limits which scheduling classes a vm-admin can request.
No per-host RT I/O budget. There is no mechanism to limit the number of VBDs in the real-time I/O class per host. A single vm-admin can consume the entire RT I/O budget.
Insufficient logging. No security alert is generated when a VBD is assigned the real-time scheduling class.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI + xenopsd codebase)
XCP-ng 8.3 - confirmed (source trace)

Indirectly Affected

All co-hosted VMs - I/O performance degraded due to RT scheduling starvation
Shared storage backends - kernel threads competing for the same underlying device are starved

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Cross-VM I/O starvation	All other VMs on the host experience severe I/O latency	vm-admin credential, ionice QoS type	Source-traced
Shared storage amplification	RT scheduling starves other hosts' I/O threads competing for shared LUNs	Shared storage (iSCSI, NFS, FC)	Modeled
Bulk RT assignment via BOC-1	Root access enables setting RT class on all VBDs in the pool simultaneously	BOC-1 available	Modeled (amplification chain)

Detection

Monitor VBD.qos_algorithm_params for sched=rt with class=highest or class=0
Alert on ionice real-time class assignments in dom0 (ionice -c1 in process list)
Monitor for I/O latency anomalies affecting multiple VMs on the same host
See rule B-01 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all VBD.qos_algorithm_params records for sched=rt entries
Monitor ionice process calls in dom0
Restrict vm-admin role grants in shared-host environments

Long-Term Fix

Restrict real-time scheduling. Add map_keys_roles for the sched key or validate that sched=rt requires pool-admin role.

Range-validate class values. Accept only integers in the range 0-7.

Per-host RT I/O budget. Implement a limit on the number of VBDs that can use the real-time scheduling class per host.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

XAPI source: xapi_xenops.ml:595-600 (scheduler parsing), Ionice.to_class_param (class parameter mapping)
Thematic advisory: disclosure/advisories/bqp-security-advisory.md (BQP-1)
Investigation: research/investigations/vbd-qos-algorithm-params.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0022.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0021 MOKSHA-2026-0023 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk