Skip to main content

Linux Kernel virtio-gpu CVE-2026-3886

MEDIUM
2026-07-09 vendor:ubuntu
Share

Severity by source

vuln.today AI
7.8 HIGH

Local vector as virtio-gpu is only accessible from within a guest VM; PR:L because device node access requires group membership or equivalent low privilege.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 19:48 vuln.today

DescriptionCVE.org

[virtio-gpu: fix overflow check when allocating 2d image]

AnalysisAI

Integer overflow in the virtio-gpu driver's 2D image allocation path of the Linux kernel exposes virtualized guest systems to potential heap corruption. The flaw resides in an insufficient overflow check performed before allocating memory for a 2D image resource in the virtio-gpu paravirtualized GPU subsystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local access in guest VM
Delivery
Open virtio-gpu DRM device node
Exploit
Submit crafted resource-create-2d with malformed dimensions
Install
Trigger integer overflow bypassing size check
C2
Undersized heap buffer allocated
Execute
Write beyond allocation boundary
Impact
Corrupt kernel heap for privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access within a Linux guest VM running the virtio-gpu kernel driver, typically in a QEMU/KVM environment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment With no CVSS vector, EPSS score, KEV listing, or POC data available, risk must be assessed from first principles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged user process within a Linux guest VM opens the virtio-gpu DRM device and issues a resource-create-2d command with crafted width and height values designed to overflow the size calculation, bypassing the flawed bounds check. The resulting undersized heap allocation is then written beyond its bounds during image data population, corrupting adjacent kernel heap objects. …
Remediation Apply the kernel patch addressing the overflow check in the virtio-gpu 2D image allocation path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy