← Advisory Index « MOKSHA-2026-0071 MOKSHA-2026-0073 »

MOKSHA-2026-0072: SR Scan Interval Manipulation via Host.other_config auto-scan-interval

Advisory ID	MOKSHA-2026-0072
Semantic ID	HOC-4
Published	2026-04-24
CVSS 3.1	4.9 Medium
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`
CVSS 4.0	5.1 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
XAPI Object	`Host`
XAPI Field	`other_config:auto-scan-interval`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the SR scanning interval by writing an arbitrary float value to Host.other_config:auto-scan-interval. The value is read at xapi_sr.ml:166-168 with float_of_string and no range validation. Setting an extremely small value (e.g., 0.001) causes continuous SR scanning, exhausting CPU and I/O resources. Setting an extremely large value (e.g., 999999999) effectively disables SR scanning, preventing XAPI from detecting storage state changes such as new VDIs, deleted snapshots, or capacity changes. The Host.other_config field has no map_keys_roles entries for infrastructure keys.

Vulnerability Description

Host.other_config is a Map(String, String) field defined at datamodel_host.ml:2929-2934. The field inherits _R_POOL_OP as the minimum write role from the Host class default at datamodel_host.ml:2759. The auto-scan-interval key name is defined at xapi_globs.ml:221.

The scanning thread reads the interval value:

xapi_sr.ml:166-168:
  let interval =
    try float_of_string (List.assoc "auto-scan-interval"
      (Db.Host.get_other_config ~__context ~self:host))
    with _ -> 30.0

The float_of_string call is the only parsing step. If the string is not a valid float, the exception is caught and the default (30.0 seconds) is used. But any valid float is accepted without bounds checking:

0.001 - scans every millisecond, causing CPU/IO saturation
0.0 - infinite loop with no delay (degenerate case)
999999999.0 - scan interval of approximately 31 years
Negative values - implementation-defined behavior of the sleep function

Root Causes

Missing range validation. The float_of_string parse accepts any valid float. No minimum or maximum bounds are enforced.
Missing RBAC protection. Host.other_config has map_keys_roles entries only for UI keys (folder, XenCenter.CustomFields.*). The auto-scan-interval key is writable by any pool-operator.
No write-time validation. XAPI stores the value without checking whether it falls within an operationally safe range.
set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng - all versions (confirmed via source trace)

Indirectly Affected

Storage monitoring - SR state changes go undetected when scanning is suppressed
Management orchestrators (Xen Orchestra, CloudStack) - stale SR data when scanning is disabled
Backup systems - snapshot visibility delayed when scan interval is excessive

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
CPU/IO exhaustion	Continuous SR scanning saturates host CPU and storage I/O	pool-operator, set interval to 0.001	Source-traced
Scan suppression	XAPI does not detect storage changes for extended period	pool-operator, set interval to 999999999	Source-traced
Stale state exploitation	Attacker suppresses scanning, makes storage changes undetected	pool-operator, combined with storage manipulation	Modeled
BOC-1 chain	vm-admin manipulates scan interval across all hosts via RBAC collapse	vm-admin, BOC-1	Source-traced

Chaining Analysis

HOC-4 + SOC-5 (MOKSHA-2026-0074): Suppressing SR scanning (HOC-4) combined with disabling garbage collection (SOC-5) creates a compound storage degradation condition. Neither the SR state changes nor the orphan VDI accumulation is detected.
BOC-1 + HOC-4: BOC-1 collapses the pool-operator barrier. A vm-admin sets extreme scan intervals on all hosts, causing either resource exhaustion or storage blindness pool-wide.

Detection

Monitor Host.other_config for changes to the auto-scan-interval key
Alert on scan interval values below 5.0 or above 3600.0 seconds
Monitor SR scanning thread CPU usage for anomalous patterns
See rule H-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all Host.other_config entries for unexpected auto-scan-interval values
Monitor host CPU usage for SR scanning thread anomalies
Restrict XAPI API access to trusted networks

Long-Term Fix

Add range validation. Enforce a minimum (5.0 seconds) and maximum (3600.0 seconds) range for the auto-scan-interval value at write time.

Add map_keys_roles protection. Restrict auto-scan-interval to _R_POOL_ADMIN in datamodel_host.ml.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0026 (HOC-1), MOKSHA-2026-0035 (HOC-2), MOKSHA-2026-0048 (HOC-3)
XAPI source: datamodel_host.ml:2929-2934 (field definition), xapi_sr.ml:166-168 (float_of_string with no bounds), xapi_globs.ml:221 (key name definition)
Thematic advisory: disclosure/advisories/hoc-security-advisory.md (HOC-4)
Investigation: research/investigations/host-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0072.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0071 MOKSHA-2026-0073 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk