← Advisory Index « MOKSHA-2026-0052 MOKSHA-2026-0054 »

MOKSHA-2026-0053: MTU Manipulation (0-65535) via VIF.other_config

Advisory ID	MOKSHA-2026-0053
Semantic ID	VIOC-3
Published	2026-04-24
CVSS 3.1	5.3 Medium
CVSS 3.1 Vector	`AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H`
CVSS 4.0	5.3 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L`
XAPI Object	`VIF`
XAPI Field	`other_config:mtu`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary MTU value (0 through 65535) on any VIF by writing the mtu key in VIF.other_config. The value is parsed by int_of_string at xapi_xenops.ml:773 with no range validation and applied via ip link set. Extreme MTU values (0, 65535) cause network disruption including packet fragmentation, dropped frames, and connectivity failures for the affected VM and potentially for co-located VMs on the same bridge. The VIF.other_config field has zero map_keys_roles entries.

Vulnerability Description

VIF.other_config is a Map(String, String) field writable by vm-admin with zero per-key RBAC via map_keys_roles. The mtu key is consumed at the XAPI level during VIF translation to the xenopsd domain.

The code path:

vm-admin sets an extreme MTU value: VIF.add_to_other_config(vif, "mtu", "65535")
XAPI reads the value at xapi_xenops.ml:773 using int_of_string
No range validation is performed - any integer value is accepted
The MTU is applied to the VIF's network interface via ip link set mtu <value>
The host kernel processes the MTU change

An MTU of 0 causes the interface to reject all frames. An MTU of 65535 causes fragmentation mismatches with the physical network, leading to dropped packets for traffic exceeding the actual path MTU. An MTU mismatch between VIFs on the same bridge creates asymmetric connectivity failures.

Root Causes

Missing range validation. The mtu key is parsed by int_of_string with no bounds check. Valid Ethernet MTU ranges (68-9216 for standard/jumbo, maximum 65535 for theoretical) are not enforced.
Missing RBAC protection. VIF.other_config has zero map_keys_roles entries. The mtu key inherits the class default _R_VM_ADMIN.
No network-level consistency check. The VIF MTU is set independently of the bridge, physical NIC, and other VIFs on the same network. No check verifies that the MTU is compatible with the underlying network infrastructure.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

Co-located VMs - MTU mismatches on a shared bridge can cause fragmentation affecting all VMs on the same network segment
Physical network infrastructure - jumbo frames from an oversized MTU may not be supported by switches or routers

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Zero MTU	VIF rejects all frames, complete network loss for target VM	vm-admin	Source-traced
Oversized MTU	Fragmentation mismatch causes dropped packets and connectivity failures	vm-admin	Source-traced
Bridge MTU mismatch	Asymmetric MTU on same bridge causes intermittent failures for co-located VMs	vm-admin	Modeled
BOC-1 chain	vm-admin uses BOC-1 S3 to self-grant pool-operator, then manipulates MTU on all VIFs	vm-admin, BOC-1	Source-traced

Chaining Analysis

BOC-1 + VIOC-3: BOC-1 does not lower the RBAC barrier (already vm-admin) but enables bulk modification - root access allows setting extreme MTU values on all VIFs in the pool simultaneously.
VIOC-3 + VIOC-2: MTU manipulation combined with promiscuous mode (VIOC-2) amplifies the network attack surface - the attacker both captures traffic and disrupts the network layer.

Detection

Monitor VIF.other_config for mtu values outside normal range (1500-9000)
Alert on MTU values of 0 or above 9216
Monitor network interfaces for fragmentation anomalies
See rule V-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all VIF.other_config records for unexpected mtu values
Monitor for VIF MTU values outside the expected range
Restrict vm-admin delegated access to trusted administrators only

Long-Term Fix

Add MTU range validation. Enforce bounds checking on the mtu value at write time (minimum 68, maximum 9216 for standard deployments, configurable upper bound for jumbo frame environments).

Add map_keys_roles protection. Restrict mtu to _R_POOL_ADMIN or _R_POOL_OP in the VIF field definition.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

XAPI source: xapi_xenops.ml:773-779 (MTU parsing with int_of_string, no range check), datamodel.ml:3914-3917 (VIF.other_config field definition, zero map_keys_roles)
Thematic advisory: disclosure/advisories/vif-security-advisory.md (VIOC-3)
Investigation: research/investigations/vif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0053.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0052 MOKSHA-2026-0054 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk