← Advisory Index « MOKSHA-2026-0059 MOKSHA-2026-0061 »

MOKSHA-2026-0060: Arbitrary Integer Passthrough to ionice via VBD.qos_algorithm_params

Advisory ID	MOKSHA-2026-0060
Semantic ID	BQP-2
Published	2026-04-24
CVSS 3.1	5.3 Medium
CVSS 3.1 Vector	`AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N`
CVSS 4.0	5.3 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
XAPI Object	`VBD`
XAPI Field	`qos_algorithm_params:class`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can pass arbitrary integer values to the Linux ionice binary via the class key in VBD.qos_algorithm_params. The qos_class parser at xapi_xenops.ml:595-600 accepts any integer string via Other (int_of_string s), and Ionice.to_class_param at ionice.ml:30-31 passes Other x directly as the -n argument to ionice. No range validation is performed - the valid range is 0-7, but negative integers and values far outside this range are accepted and forwarded to the kernel. Kernel behavior with out-of-range ionice priority values is undefined. The VBD.qos_algorithm_params field has zero map_keys_roles entries, and changes take effect immediately without VBD replug.

Vulnerability Description

VBD.qos_algorithm_params is a Map(String, String) field writable by vm-admin with zero per-key RBAC. When VBD.qos_algorithm_type is set to ionice, the class key is parsed to determine the I/O scheduling priority for VBD kernel threads.

The code path:

vm-admin sets an out-of-range value: VBD.add_to_qos_algorithm_params(vbd, "class", "-999")

XAPI parses the class key at xapi_xenops.ml:595-600:

| Some s -> (
  try Other (int_of_string s)    (* accepts ANY integer *)
  with _ -> ... Normal
)

Other -999 is passed to xenopsd as part of the Ionice(qos_scheduler) struct
Ionice.to_class_param at ionice.ml:30-31 converts Other x to the -n argument:
```
| Other x -> x    (* DIRECT PASSTHROUGH *)
```
xenopsd invokes ionice -c<class> -n-999 -p<kthread_pid> via execve
The kernel receives an out-of-range priority value

No shell injection is possible - xenopsd uses Forkhelpers.execute_command_get_output which calls execve() directly without a shell. The risk is kernel-level undefined behavior with out-of-range scheduling parameters.

Additionally, QoS changes are applied hot via the Needs_set_qos action request mechanism (xenops_server_xen.ml:4003-4017). When the current ionice settings differ from the target QoS, xenopsd re-invokes ionice on running kernel threads without requiring a VBD replug or VM reboot.

Root Causes

Missing range validation. The qos_class parser accepts any integer via Other (int_of_string s). No bounds check enforces the valid range of 0-7.
Direct passthrough in ionice wrapper. Ionice.to_class_param passes Other x directly as the -n argument without any sanitization or clamping.
Missing RBAC protection. VBD.qos_algorithm_params has zero map_keys_roles entries. The class and sched keys inherit the class default _R_VM_ADMIN.
Hot apply without validation. QoS changes take effect immediately on running VBDs. There is no confirmation step or secondary validation before invoking ionice with attacker-controlled values.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared xenopsd codebase)
XCP-ng - all versions (confirmed on 8.3.0, source trace)

Indirectly Affected

Kernel I/O scheduler - receives undefined priority values that may cause unexpected scheduling behavior
Co-located VMs - kernel scheduling anomalies from undefined priority values affect all VMs sharing the same I/O path

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Negative priority injection	Pass negative integer to ionice -n, causing undefined kernel behavior	vm-admin, ionice QoS enabled	Source-traced
Extreme priority injection	Pass very large integer (e.g., 999999) to ionice -n	vm-admin, ionice QoS enabled	Source-traced
Hot apply on running VBDs	Inject arbitrary priority on running kernel threads without reboot	vm-admin, running VM with ionice QoS	Source-traced
BOC-1 chain	vm-admin uses BOC-1 S3 to bulk-inject out-of-range priorities across all VBDs	vm-admin, BOC-1	Source-traced

Chaining Analysis

BQP-2 + BQP-1: Arbitrary priority injection (BQP-2) combined with real-time class abuse (BQP-1) creates a compound I/O scheduling attack - the attacker both claims real-time class and injects undefined priority values.
BOC-1 + BQP-2: With root access via BOC-1 S3, the attacker bulk-sets out-of-range priorities on all VBDs in the pool. The hot-apply mechanism ensures changes take effect immediately without requiring VM restarts.

Detection

Monitor VBD.qos_algorithm_params for class values outside the 0-7 range
Alert on negative integer values in the class key
Monitor ionice invocations in dom0 for unexpected -n arguments
See rule B-02 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all VBD.qos_algorithm_params records for out-of-range class values
Monitor dom0 ionice invocations for unexpected arguments
Restrict vm-admin delegated access to trusted administrators only

Long-Term Fix

Add range validation. Validate the class value to 0-7 (the valid ionice priority range) at parse time in xapi_xenops.ml. Reject or clamp out-of-range values.

Remove Other passthrough. Replace the Other x variant in the qos_class type with a bounded integer type that enforces 0-7.

Add map_keys_roles protection. Restrict sched and class keys to _R_POOL_OP or _R_POOL_ADMIN to prevent vm-admin from modifying I/O scheduling.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

XAPI source: xapi_xenops.ml:595-600 (qos_class parser accepts any integer via Other), ionice.ml:30-31 (Other x passed directly as -n argument), ionice.ml:17-93 (full ionice wrapper), xenops_server_xen.ml:3907-3932 (ionice invocation via execve), xenops_server_xen.ml:4003-4017 (hot-apply QoS change detection)
Thematic advisory: disclosure/advisories/bqp-security-advisory.md (BQP-2)
Investigation: research/investigations/vbd-qos-algorithm-params.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0060.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0059 MOKSHA-2026-0061 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk