MOKSHA-2026-0089: Raw kbps Value Exposure in Private Xenstore via VIF.qos_algorithm_params

Advisory ID	MOKSHA-2026-0089
Semantic ID	VQP-5
Published	2026-04-24
CVSS 3.1	2.3 Low
CVSS 3.1 Vector	`AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`
CVSS 4.0	5.3 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
XAPI Object	`VIF`
XAPI Field	`qos_algorithm_params:kbps (xenstore)`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params:kbps, which xenopsd writes as a raw Int64.to_string value to the VIF's private xenstore path at device.ml:920-927. The raw kbps and timeslice_us values are stored at /xapi/<domid>/private/vif/<devid>/rate and .../timeslice for xenopsd internal bookkeeping (VIF replug scenarios). While Int64.to_string prevents xenstore path injection (it produces only decimal digit characters), the raw user-controlled values are readable by dom0 processes that consume VIF private xenstore data. The VIF.qos_algorithm_params field has zero map_keys_roles entries.

Vulnerability Description

VIF.qos_algorithm_params is a Map(String, String) field defined at datamodel.ml:1666-1681 via the qos function with zero map_keys_roles entries.

xenopsd writes raw rate values to two xenstore locations:

Backend path (device.ml:851) - computed bytes_per_interval:

rate = sprintf "%Lu,%Lu" bytes_per_interval timeslice_us
Written to: /local/domain/0/backend/vif/<domid>/<devid>/rate

Private data path (device.ml:920-927) - raw user-controlled values:

match rate with
| None -> []
| Some (rate, timeslice) ->
    [ ("rate", Int64.to_string rate)
    ; ("timeslice", Int64.to_string timeslice) ]

Written to: /xapi/<domid>/private/vif/<devid>/rate and .../timeslice

The private path stores the raw kbps and timeslice_us values from the user, not the computed bytes_per_interval. These are formatted via Int64.to_string, which produces only decimal digit characters (optionally with a leading - for negative values).

The private xenstore path is readable only by dom0 processes. There is no guest-side visibility. Int64.to_string formatting prevents xenstore path separator injection or other injection attacks through this path.

The concern is the architectural pattern: user-controlled values from a vm-admin are stored in a dom0-readable location without any indication that they are attacker-supplied rather than system-generated.

Root Causes

Raw value passthrough. xenopsd stores the raw user-provided kbps and timeslice_us in private xenstore without marking them as user-supplied or validating them.
Missing RBAC protection. VIF.qos_algorithm_params has zero map_keys_roles entries. All keys are writable by vm-admin.
No provenance tracking. Dom0 processes that read the private xenstore path cannot distinguish between values set by XAPI internally and values injected by a vm-admin.
set_qos_algorithm_params RBAC bypass. The set_qos_algorithm_params method replaces the entire map and bypasses map_keys_roles per-key checks.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI + xenopsd codebase)
XCP-ng - all versions (tested on 8.3.0)

Indirectly Affected

Dom0 monitoring tools - tools that read VIF private xenstore data consume attacker-controlled values
xenopsd replug logic - uses stored raw values for VIF replug, potentially reapplying invalid rates

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Raw value in private xenstore	Attacker-controlled kbps value readable by dom0 processes	vm-admin, VIF with ratelimit QoS	Live-tested
Replug with stored value	xenopsd re-reads raw kbps from private xenstore on replug	vm-admin, VIF replug	Source-traced
Negative kbps in xenstore	Negative Int64 value stored as "-N" string in xenstore	vm-admin	Source-traced

Chaining Analysis

BOC-1 + VQP-5: BOC-1 does not lower the RBAC barrier (already vm-admin). Root access could read the private xenstore values, but root already has access to everything on the host.
SMC-1: No interaction. VIF QoS operates on network backends, not storage protocol traffic.
Int64.to_string formatting prevents injection through this path. The finding is informational - it documents the presence of attacker-controlled values in a dom0-readable location.

Detection

Audit private xenstore paths for VIF rate values that are negative, zero, or extremely large
Compare private xenstore rate values against XAPI DB kbps values for consistency
Monitor for VIF replug operations that reapply previously stored invalid rates
See rule Q-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit VIF private xenstore paths for unexpected rate values
Monitor VIF QoS behavior after replug operations
Restrict XAPI API access to trusted networks

Long-Term Fix

Validate before storing. Apply the same range validation to the private xenstore write path as the backend xenstore path. Do not store raw user-controlled values that failed validation.

Add provenance markers. Mark private xenstore values as validated or unvalidated so downstream consumers can distinguish system-generated from user-supplied data.

Add write-time validation for kbps. Reject invalid kbps values at the XAPI API boundary before they propagate to xenopsd and xenstore.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0033 (VQP-1), MOKSHA-2026-0062 (VQP-2), MOKSHA-2026-0063 (VQP-3), MOKSHA-2026-0088 (VQP-4)
XAPI source: datamodel.ml:1666-1681 (VIF.qos_algorithm_params field definition), xapi_xenops.ml:781-808 (rate parsing), device.ml:920-927 (raw kbps/timeslice written to private xenstore via Int64.to_string)
Thematic advisory: disclosure/advisories/vqp-security-advisory.md (VQP-5)
Investigation: research/investigations/vif-qos-algorithm-params.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0089.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0088

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk