← Advisory Index « MOKSHA-2026-0025 MOKSHA-2026-0027 »

MOKSHA-2026-0026: Python Module Import Injection via Host.other_config multipathhandle

Advisory ID	MOKSHA-2026-0026
Semantic ID	HOC-1
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
CVSS 4.0	7.5 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
XAPI Object	`Host`
XAPI Field	`other_config:multipathhandle`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can inject a controlled Python module name via Host.other_config:multipathhandle. The SM driver's SR._mpathinit() at SR.py:474-475 passes this value directly to Python's __import__() function as mpath_<value>. While an os.path.exists() check at line 469 verifies the file exists, this requires a file write primitive to place a .py file in /opt/xensource/sm/. Combined with BOC-1, a vm-admin can write mpath_evil.py to the SM driver directory and then set multipathhandle=evil to achieve arbitrary code execution as root during the next SR operation. Standalone, this requires pool-operator plus an independent file write capability.

Vulnerability Description

Host.other_config is a Map(String, String) field writable by pool-operator. The multipathhandle key controls which multipath module the SM driver imports at runtime.

The code path:

pool-operator calls Host.add_to_other_config(host, "multipathhandle", "evil")
On the next SR operation, SR._mpathinit() is called
SR.py:469 checks os.path.exists("/opt/xensource/sm/mpath_evil.py")
SR.py:474-475 calls __import__("mpath_evil")
The attacker-controlled module is loaded and executed as root

The only valid values for multipathhandle are dmp and null, corresponding to mpath_dmp.py and mpath_null.py. No allowlist is enforced - any value that corresponds to an existing file in the SM directory is accepted.

BOC-1 Chain

With BOC-1, the attack becomes a two-step vm-admin-to-root chain:

Step 1: vm-admin uses BOC-1 to mount the host root filesystem as a guest VBD
Step 2: Write mpath_evil.py to /opt/xensource/sm/
Step 3: vm-admin grants self pool-operator via BOC-1 S3 RBAC collapse
Step 4: Set multipathhandle=evil
Step 5: Next SR operation imports the malicious module as root

This chain escalates from vm-admin to persistent root code execution.

Root Causes

Missing RBAC protection. Host.other_config has zero map_keys_roles entries for the multipathhandle key. Any pool-operator can modify it.
Unsafe dynamic import. __import__() with unsanitized user input is a known code execution primitive. The os.path.exists() check is not a security control - it verifies the file exists, not that it is authorized.
Missing allowlist. Only dmp and null are valid values, but no allowlist restricts the input.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared SM driver codebase)
XCP-ng 8.3 - confirmed (source trace, RBAC verified on live host)

Indirectly Affected

Storage infrastructure - root code execution in the SM driver process grants full access to storage operations
All VMs on affected hosts - root access compromises all co-hosted VMs

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Module import injection (standalone)	Root code execution during SR operations	pool-operator + file write to `/opt/xensource/sm/`	Source-traced (High confidence)
BOC-1 + HOC-1 chain	vm-admin achieves persistent root code execution	BOC-1 available	Modeled (multi-step chain)

Detection

Monitor Host.other_config for multipathhandle changes
Alert on values other than dmp or null
Audit /opt/xensource/sm/mpath_*.py for unexpected files
See rule H-01 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit Host.other_config for unexpected multipathhandle values
Audit /opt/xensource/sm/ for unexpected mpath_*.py files
Restrict pool-operator role grants

Long-Term Fix

Replace __import__() with explicit allowlist. Replace the dynamic import with conditional logic that only accepts dmp and null. Reject all other values.

Add map_keys_roles. Protect multipathhandle in datamodel.ml at _R_POOL_ADMIN.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 provides file write primitive and RBAC collapse for the full chain)
XAPI source: vendor/sm/drivers/SR.py:469-475 (os.path.exists check + __import__ call), datamodel.ml (Host field definition)
Thematic advisory: disclosure/advisories/hoc-security-advisory.md (HOC-1)
Investigation: research/investigations/host-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0026.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0025 MOKSHA-2026-0027 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk