Skip to main content

QEMU CVE-2026-3195

| EUVDEUVD-2026-38043 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-19 patrick@puiterwijk.org GHSA-x3gf-fc58-4mvj
7.4
CVSS 3.1 · Vendor: puiterwijk
Share

Severity by source

Vendor (puiterwijk) PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Guest-local vector (AV:L), high complexity for heap grooming (AC:H), requires privileged guest code to drive virtio-snd (PR:L), and VM-to-host escape crosses a security boundary (S:C).

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
7.4 HIGH
qualitative

Primary rating from Vendor (puiterwijk).

CVSS VectorVendor: puiterwijk

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 17:30 vuln.today

DescriptionCVE.org

A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the virtio_snd_pcm_in_cb function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730.

AnalysisAI

Heap out-of-bounds write in QEMU's virtio-snd paravirtualized sound device allows a malicious guest to corrupt host memory by sending oversized audio input that the virtio_snd_pcm_in_cb callback fails to size-check against the iov buffer. The flaw represents an incomplete fix for CVE-2024-7730 and affects hypervisor hosts exposing virtio-snd to untrusted guests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain code execution in guest VM
Delivery
Load malicious virtio-snd driver in guest
Exploit
Submit crafted iov with oversized PCM input
Install
Trigger virtio_snd_pcm_in_cb heap OOB write
C2
Groom QEMU host heap to overwrite function pointer
Execute
Execute code in QEMU host process
Impact
Escape VM boundary to compromise hypervisor host

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the QEMU virtio-snd paravirtualized sound device to be attached to the target guest - this is opt-in and not part of every VM configuration; (2) the attacker to already have code execution inside the guest VM sufficient to drive the virtio-snd input ring (typically root or a loaded kernel module in the guest); (3) successful manipulation of the iov scatter-gather layout and timing of input callbacks, reflected in CVSS AC:H - heap grooming on the host QEMU process is non-trivial. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.4 with AV:L/AC:H/PR:N/UI:N reflects that exploitation requires local access from within a guest VM and high attack complexity (likely race or precise heap-shape control), but no privileges or user interaction once inside the guest, with full C/I/A impact on the host QEMU process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant on a shared virtualization host loads a malicious kernel module or userspace driver inside their guest that drives the virtio-snd input stream with a crafted iov layout, then triggers `virtio_snd_pcm_in_cb` to write audio frames exceeding the buffer length. The resulting heap overflow in the QEMU host process is shaped to overwrite function pointers or vtables, achieving code execution in the QEMU userspace context and breaking out of the VM boundary. …
Remediation No vendor-released patch identified at time of analysis from the provided references; monitor https://access.redhat.com/security/cve/CVE-2026-3195 and https://bugzilla.redhat.com/show_bug.cgi?id=2443817 for the fixed QEMU package version and apply it as soon as it ships, prioritizing hosts that run untrusted guests. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit QEMU deployments to identify which hosts expose virtio-snd to untrusted or multi-tenant guests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.161 Container suse/sl-micro/6.1/kvm-os-container:2.2.0-3.3 Affected
Image SLES15-SP6-EC2-ECS-HVM Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-3195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy