EUVD-2026-36408
GHSA-4hmh-vx7h-h98p
Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H
Attack originates inside the guest VM (AV:L), requires guest root access (PR:H), crosses guest-to-host boundary (S:C), with primary impact being QEMU process crash (A:H) and minor heap corruption (I:L).
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.
AnalysisAI
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold high-privilege (root or equivalent administrator) access inside the guest virtual machine - this is confirmed by the CVSS PR:H metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H) accurately reflects the constrained but meaningful risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained root or administrator-level access inside a guest virtual machine running on a RHEL or OpenShift host constructs a malformed virtio-blk SCSI request with an oversized descriptor. When the QEMU host process processes this request without validating descriptor bounds, it writes data beyond the allocated heap buffer, corrupting adjacent memory and causing the QEMU process to crash. … |
| Remediation | Apply the Red Hat-released errata packages for the affected RHEL and OpenShift versions once published; monitor the advisory at https://access.redhat.com/security/cve/CVE-2026-48914 and the Bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=2488283 for errata availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Share
External POC / Exploit Code
Leaving vuln.today