Skip to main content

QEMU virtio-snd CVE-2026-3196

| EUVDEUVD-2026-38042 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-19 patrick@puiterwijk.org GHSA-crqh-2v7r-3m9w
5.5
CVSS 3.1 · Vendor: puiterwijk
Share

Severity by source

Vendor (puiterwijk) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

AV:L and PR:L because exploitation requires low-privilege execution inside a guest VM; A:H for host memory exhaustion DoS; no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (puiterwijk).

CVSS VectorVendor: puiterwijk

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 17:31 vuln.today

DescriptionCVE.org

An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.

AnalysisAI

Integer overflow in QEMU's virtio-snd virtual sound device allows a malicious guest VM to trigger unbounded host memory allocation by supplying out-of-bounds stream counts via PCM_INFO requests, resulting in a host-side denial of service. Affected deployments are those where QEMU exposes the virtio-snd device to guest VMs - particularly relevant in multi-tenant or cloud virtualization environments where guest workloads may be untrusted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Control guest VM
Delivery
Load virtio-snd guest driver
Exploit
Send crafted PCM_INFO with oversized stream count
Install
Trigger integer overflow in host QEMU process
C2
Cause unbounded host memory allocation
Execute
Exhaust host memory
Impact
Deny service to guest or host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control execution within a guest VM running on a QEMU-based hypervisor where the virtio-snd virtual device has been explicitly configured and exposed to that guest. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the constrained threat model: exploitation requires an attacker to already control a guest VM on the target host with virtio-snd enabled, limiting the blast radius compared to network-accessible vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a guest VM on a shared QEMU-based hypervisor - such as a cloud tenant - crafts a malicious virtio-snd PCM_INFO control message with an out-of-bounds stream count field. The QEMU host process processes the request, encounters an integer overflow during stream count validation or size arithmetic, and attempts a correspondingly large or unbounded memory allocation. …
Remediation Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-3196 for vendor-released patches and exact fixed package versions; no confirmed fixed version was available in the provided input data and should be verified directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.161 Container suse/sl-micro/6.1/kvm-os-container:2.2.0-3.3 Affected
Image SLES15-SP6-EC2-ECS-HVM Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-3196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy