9.4
CVE-2025-58146
- EPSS -
- Veröffentlicht 09.07.2026 14:42:22
- Zuletzt bearbeitet 09.07.2026 17:16:56
- Quelle security@xen.org
- CVE-Watchlists
- Unerledigt
XAPI UTF-8 string handling
There are multiple issues.
1. Updates to the XAPI database sanitise input strings, but try
generating the notification using the unsanitised input. This
causes the database's event thread to terminate and cease further
processing.
2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
uses libraries which conform to the stricter v3.1 of the Unicode
spec. This causes some strings to be accepted as valid UTF-8 by
XAPI, but rejected by other libraries in use. Notably, such strings
can be entered into the database, after which the database can no
longer be loaded.
3. There is no input sanitisation for Map/Set updates on objects in the
XAPI database.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerXen
≫
Produkt
XAPI
Default Statusunaffected
Version
all
Status
affected
VulnDex Vulnerability Enrichment
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@xen.org | 9.4 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://xenbits.xen.org/xsa/advisory-474.html
http://www.openwall.com/lists/oss-security/2025/09/09/3
http://xenbits.xen.org/xsa/advisory-474.html