I run ZFS, I run XAPI. I wanted to write a proper SMAPIv3 v5 storage driver for XCP-ng - using ZFS the way ZFS was designed to be used (raw zvols, native snapshots, native compression, zfs send/recv for migration), instead of qcow2-on-dataset wrappers pretending to be ZFS. Reading the XAPI codebase to figure out how to build that driver is what produced the XSA-489 disclosure. The XSA-489 outcome is what produced this audit.
I knew mine were ghosts. But how many others were there?
Of all the CVEs referenced in Xen Security Advisories (XSAs), how many have a corresponding record in any of the 30+ vulnerability databases CIRCL's vulnerability-lookup indexes (NVD, cvelistv5, CSAF feeds, OSV, KEV, others)?
A CVE is a ghost if the advisory exists and is PGP-signed but the CVE record exists nowhere in those databases.
Script + raw JSONL: audit-xsa.py, audit-results.jsonl.
580 CVEs total. 568 published. 12 ghosts.
Per year. Ghost % is the ghost rate within that year (ghosts / CVEs that year), not a share of the 12 ghosts overall. The trend is the story - 0% for 11 years, then 1.5% → 15.4% → 41.2%.
Year | CVEs | Published | Ghost | Ghost % 2011 | 6 | 6 | 0 | 0 2012 | 34 | 34 | 0 | 0 2013 | 49 | 49 | 0 | 0 2014 | 42 | 42 | 0 | 0 2015 | 52 | 52 | 0 | 0 2016 | 43 | 43 | 0 | 0 2017 | 45 | 45 | 0 | 0 2018 | 33 | 33 | 0 | 0 2019 | 33 | 33 | 0 | 0 2020 | 54 | 54 | 0 | 0 2021 | 45 | 45 | 0 | 0 2022 | 66 | 65 | 1 | 1.5 2023 | 27 | 27 | 0 | 0 2024 | 8 | 8 | 0 | 0 2025 | 26 | 22 | 4 | 15.4 2026 | 17 | 10 | 7 | 41.2
2026 is partial - 5 months of data through 2026-05-25; year ends Dec 31. 17 CVEs and 7 ghosts so far.
11 consecutive years (2011-2021) at 100% publication: 436 CVEs, 0 ghosts.
First ghost appears 2022. Volume rises in 2025-2026.
| Year | XSA | CVE | Component | Reporter | Reporter affiliation |
|---|---|---|---|---|---|
| 2022 | XSA-396 | CVE-2022-23041 | Linux PV netfront | Demi Marie Obenour, Simon Gaiser | independent |
| 2025 | XSA-468 | CVE-2025-27462 | WinPVDrivers (XenCons) | Tu Dinh | Vates |
| 2025 | XSA-468 | CVE-2025-27463 | WinPVDrivers (XenIface) | Tu Dinh | Vates |
| 2025 | XSA-468 | CVE-2025-27464 | WinPVDrivers (XenBus) | Tu Dinh | Vates |
| 2025 | XSA-474 | CVE-2025-58146 | XAPI (UTF-8) | Edwin Torok | XenServer |
| 2026 | XSA-478 | CVE-2025-58151 | varstored (UEFI) | Teddy Astie | Vates |
| 2026 | XSA-483 | CVE-2026-23556 | oxenstored | Andrii Sultanov | Vates |
| 2026 | XSA-489 | CVE-2026-23559 | XAPI RBAC | ? | ? |
| 2026 | XSA-489 | CVE-2026-23560 | XAPI RBAC | ? | ? |
| 2026 | XSA-489 | CVE-2026-23561 | XAPI RBAC | ? | ? |
| 2026 | XSA-489 | CVE-2026-23562 | XAPI RBAC | ? | ? |
| 2026 | XSA-489 | CVE-2026-42486 | XAPI RBAC | ? | ? |
By reporter affiliation: 6 Vates, 1 XenServer, 1 independent, 5 from XSA-489.
XSA-396: Obenour + Gaiser reported 7 CVEs in one advisory. 6 published, 1 ghost. Same advisory, same authors, same reporting.
XSA-483: Sultanov reported 2 CVEs the same day. One published (XSA-484, hypervisor), one ghost (XSA-483, oxenstored).
Splitting the 580 CVEs by component layer:
| Layer | CVEs | Ghosts | Ghost % |
|---|---|---|---|
| Hypervisor (Xen core, x86, EPT, IBPB) | 425 | 0 | 0% |
| Linux kernel (PV frontends, privcmd) | 70 | 1 | 1.4% |
| Management / toolstack (XAPI, xenstored, oxenstored, varstored, qemu, libxl, WinPVDrivers) | 85 | 11 | 12.9% |
11 of 12 ghosts (92%) are in the management/toolstack layer. The remaining ghost is in a Linux PV frontend (XSA-396 netfront). The hypervisor layer has never produced a ghost in 580 CVEs over 15 years.
The management/toolstack layer is where Citrix, XenServer/CSG, and Vates have diverged from upstream Xen and where their commercial products compete. The hypervisor layer is shared open-source code.
The 12 ghosts fall into four shapes:
CVE records are what vulnerability scanners (Nessus, Qualys, Rapid7, OpenVAS, etc.) consume. No record in the databases means no scanner rule. Organizations running XCP-ng or XenServer with these patched vulnerabilities cannot use automated tooling to verify exposure or patch state. Manual cross-reference against xenbits.xen.org is the only option.