← Advisory Index « MOKSHA-2026-0042 MOKSHA-2026-0044 »

MOKSHA-2026-0043: PBD Synchronization Bypass via Pool.other_config sync_create_pbds

Advisory ID	MOKSHA-2026-0043
Semantic ID	PLOC-5
Published	2026-04-24
CVSS 3.1	6.5 Medium
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`
CVSS 4.0	7.0 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N`
XAPI Object	`Pool`
XAPI Field	`other_config:sync_create_pbds`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable automatic PBD creation for shared storage repositories by setting the sync_create_pbds key to "nosync" in Pool.other_config. The create_storage.ml:166-171 module checks this value during host boot and skips PBD creation when it equals "nosync". This causes shared storage to remain disconnected after host reboot - VMs depending on shared storage cannot start. The disruption persists across reboots until the key is removed.

Vulnerability Description

Pool.other_config is a Map(String, String) field writable by pool-operator. The sync_create_pbds key controls whether XAPI automatically creates PBDs (Physical Block Devices - the host-local connections to shared storage repositories) during host startup.

The code path:

pool-operator calls Pool.add_to_other_config(pool, "sync_create_pbds", "nosync")
XAPI stores the value without validation
On next host boot, create_storage.ml:166-171 reads Pool.other_config
The code checks if sync_create_pbds equals "nosync"
If "nosync", PBD auto-creation for shared SRs is skipped entirely
Host boots without connections to shared storage
VMs with disks on shared SRs fail to start with storage connectivity errors

The key persists across reboots. Every subsequent host restart in the pool continues to skip PBD creation until the key is manually removed. In a pool with HA, this can cause cascading failures: hosts reboot without storage, HA-protected VMs cannot restart, and the pool enters a degraded state.

Root Causes

Missing RBAC protection. Pool.other_config has no map_keys_roles entry for sync_create_pbds. It inherits the class default _R_POOL_OP.
Missing write-time validation. No validation occurs when the key is set. The value "nosync" is a string comparison at consumption time only.
Persistent denial of service. The key persists in the database across reboots, causing repeated storage disconnection on every host startup until manually removed.
No operational guard. No check verifies whether disabling PBD sync is appropriate for the current pool state (e.g., whether shared SRs exist, whether HA is enabled).

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

All VMs on shared storage - cannot start after host reboot when PBD sync is disabled
HA-protected workloads - HA restart attempts fail because shared storage is disconnected
Storage infrastructure - shared SRs (NFS, iSCSI, FC) appear healthy but are unreachable from affected hosts

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Storage disconnection on reboot	All shared SRs disconnected after host restart, VMs fail to start	pool-operator	Source-traced
HA cascade	HA-protected VMs cannot restart after failover because shared storage is disconnected	pool-operator, HA enabled, shared storage	Source-traced
Persistent disruption	Key persists across reboots, causing repeated failures until manual removal	pool-operator	Source-traced
BOC-1 chain	vm-admin uses BOC-1 S3 to self-grant pool-operator, then disables PBD sync	vm-admin, BOC-1	Source-traced

Chaining Analysis

BOC-1 + PLOC-5: vm-admin uses BOC-1 S3 (RBAC collapse) to self-grant pool-operator, then sets sync_create_pbds=nosync. The disruption activates on next host reboot.
PLOC-5 + PLOC-2: PBD sync bypass (PLOC-5) combined with HA timeout manipulation (PLOC-2) creates a scenario where hosts reboot (HA fencing from PLOC-2), then fail to reconnect storage (PLOC-5), preventing HA VM restart.

Detection

Monitor Pool.other_config for the sync_create_pbds key
Alert on any value other than absence of the key
Alert on PBD plug failures after host restart when shared SRs exist
See rule PL-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit Pool.other_config for unexpected sync_create_pbds key
If present and set to "nosync", remove the key: Pool.remove_from_other_config(pool, "sync_create_pbds")
Monitor host boot sequences for missing PBD connections

Long-Term Fix

Protect the key via map_keys_roles. Add sync_create_pbds to Pool.other_config map_keys_roles at _R_POOL_ADMIN in datamodel_pool.ml.

Add operational warnings. When sync_create_pbds is set to "nosync", XAPI should log a prominent warning during host boot indicating that shared storage will not be connected.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

XAPI source: create_storage.ml:166-171 (sync_create_pbds check), datamodel_pool.ml:1764-1773 (field definition)
Thematic advisory: disclosure/advisories/ploc-security-advisory.md (PLOC-5)
Investigation: research/investigations/pool-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0043.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0042 MOKSHA-2026-0044 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk