CVE-2026-23556

CRITICAL

CVSS v4.0: 9.4

No privilegesNo user interactionVendor advisory ref

Source data as of:

At a glance

Severity
CRITICAL
CVSS
9.4 v4.0 · NVD
EPSS
EPSS not provided by FIRST.org for this CVE
CISA KEV
No
Attack conditions (CVSS vector)
No privilegesNo user interaction · Source: NVD Vector
Published
2026-07-09 · Modified: 2026-07-09

CVSS / EPSS / KEV

CVSS v4.0 9.4 / 10 CRITICAL Source: NVD
EPSS EPSS not provided by FIRST.org for this CVE Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.

Record details

CVE ID
CVE-2026-23556
CVSS (v4.0)
9.4 (CRITICAL)
Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA KEV
No
Weakness (CWE)
CWE-281
Affected configurations (CPE)
0
Published
2026-07-09
Modified
2026-07-09
Status
Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.