# XSA Ghost CVE Audit - Complete Results

Audited: 2026-05-20 via VulnMCP + CIRCL vulnerability-lookup API

**Method**: Every Xen Security Advisory (XSA-1 through XSA-490) was scraped from xenbits.xen.org. Every CVE referenced in every advisory was checked against CIRCL's vulnerability-lookup platform, which indexes 30+ sources including NVD, cvelistv5, CSAF providers, OSV, and KEV catalogs. A CVE is marked "ghost" if it appears in a published, PGP-signed XSA advisory but has no record in any vulnerability database.

Total XSAs: 490 | Total CVEs: 580 | Published: 567 | **Ghost: 12**

## Key Finding

For 11 years (2011-2021), the Xen Project CNA published every single CVE - 436 CVEs across 358 advisories with a 100% publication rate. Starting 2022, specific CVEs began disappearing. All 12 ghost CVEs share one characteristic: they affect the management/toolstack layer (XAPI, xenstored, varstored, WinPVDrivers), never the hypervisor itself.

## Ghost CVEs by Year

| Year | Total CVEs | Published | Ghost | Ghost % |
|------|-----------|-----------|-------|---------|
| 2026 | 17 | 10 | **7** | **41.2%** |
| 2025 | 26 | 22 | **4** | **15.4%** |
| 2024 | 8 | 8 | 0 | 0% |
| 2023 | 27 | 27 | 0 | 0% |
| 2022 | 66 | 65 | **1** | 1.5% |
| 2021 | 45 | 45 | 0 | 0% |
| 2020 | 54 | 54 | 0 | 0% |
| 2019 | 33 | 33 | 0 | 0% |
| 2018 | 33 | 33 | 0 | 0% |
| 2017 | 45 | 45 | 0 | 0% |
| 2016 | 43 | 43 | 0 | 0% |
| 2015 | 52 | 52 | 0 | 0% |
| 2014 | 42 | 42 | 0 | 0% |
| 2013 | 49 | 49 | 0 | 0% |
| 2012 | 34 | 34 | 0 | 0% |
| 2011 | 6 | 6 | 0 | 0% |

## All 12 Ghost CVEs

| XSA | CVE | Component | Reporter | Embargo flag |
|-----|-----|-----------|----------|-------------|
| XSA-489 | CVE-2026-23559 | XAPI RBAC | "NOT CREDITED" | LACK OF EMBARGO |
| XSA-489 | CVE-2026-23560 | XAPI RBAC | "NOT CREDITED" | LACK OF EMBARGO |
| XSA-489 | CVE-2026-23561 | XAPI RBAC | "NOT CREDITED" | LACK OF EMBARGO |
| XSA-489 | CVE-2026-23562 | XAPI RBAC | "NOT CREDITED" | LACK OF EMBARGO |
| XSA-489 | CVE-2026-42486 | XAPI RBAC | "NOT CREDITED" | LACK OF EMBARGO |
| XSA-483 | CVE-2026-23556 | oxenstored | Andrii Sultanov of Vates | No |
| XSA-478 | CVE-2025-58151 | varstored (UEFI) | Teddy Astie of Vates | No |
| XSA-474 | CVE-2025-58146 | XAPI UTF-8 | Edwin Torok from XenServer | No |
| XSA-468 | CVE-2025-27462 | WinPVDrivers (XenCons) | Tu Dinh of Vates | No |
| XSA-468 | CVE-2025-27463 | WinPVDrivers (XenIface) | Tu Dinh of Vates | No |
| XSA-468 | CVE-2025-27464 | WinPVDrivers (XenBus) | Tu Dinh of Vates | No |
| XSA-396 | CVE-2022-23041 | Linux PV netfront | Demi Marie Obenour and Simon Gaiser | No |

## Pattern Analysis

### By component

| Component layer | Total CVEs (all time) | Ghosts | Ghost % |
|----------------|----------------------|--------|---------|
| Hypervisor (Xen core, x86, EPT, IBPB) | ~400 | 0 | 0% |
| Linux kernel (PV frontends, privcmd) | ~80 | 1 | ~1% |
| Management layer (XAPI, xenstored, varstored, WinPV) | ~100 | 11 | ~11% |

The hypervisor CVEs - reported by Intel, AMD, SUSE, Red Hat, and independent researchers - have a perfect publication record. Ghost CVEs exist only in the management/toolstack layer.

### By reporter affiliation

| Affiliation | Ghost CVEs |
|------------|-----------|
| Vates (XCP-ng) | 6 |
| "NOT CREDITED" (independent) | 5 |
| XenServer (Cloud Software Group) | 1 |
| Independent (Demi Marie Obenour) | 1 |

6 of 12 ghosts were reported by Vates employees. The management layer is the component where XCP-ng and XenServer diverge from upstream Xen and compete commercially.

### XSA-489 is unique

XSA-489 is the only advisory in the entire 15-year XSA history that:
- Has the "LACK OF EMBARGO" editorial note
- Refuses to credit the researcher ("explicitly not credited")
- Claims findings are "AI hallucinations"
- Has all CVEs ghosted (5/5)
- Was patched and published as an advisory but has zero CVE records in any database

Every other ghost CVE credits its reporter by name.

### Impact on vulnerability scanners

These 12 CVEs cannot be found by any vulnerability scanning tool (Nessus, Qualys, Rapid7, OpenVAS, etc.) because the CVE records were never published to NVD, cvelistv5, or any other database that scanners index. Organizations running XCP-ng or XenServer with these patched vulnerabilities have no automated way to verify they are affected or that patches are applied.

## Methodology

1. Scraped all 490 XSA advisories from https://xenbits.xen.org/xsa/
2. Extracted every CVE referenced in advisory text files
3. Checked each CVE against CIRCL's vulnerability-lookup REST API (authenticated, 580 API calls)
4. Cross-referenced reporter names and component types from advisory text
5. Verified ghost status means: CVE number assigned, advisory published with PGP signature, but no CVE record exists in any of 30+ indexed vulnerability databases

## Data

- `audit-complete.jsonl` - raw JSONL results (580 entries)
- `XSA-<year>.md` - per-year breakdown
- `audit-xsa.py` - audit script (runs on serena via CIRCL API with authentication)
