Skip to main content

Firecracker CVE-2026-5747

HIGH
Divide By Zero (CWE-369)
2026-04-08 ff89ba41-3aa1-4d27-914a-91399e9639e5
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Re-analysis Queued
Apr 20, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 08, 2026 - 00:22 vuln.today
CVE Published
Apr 08, 2026 - 00:16 nvd
HIGH 8.7

DescriptionCVE.org

An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations.

To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.

AnalysisAI

Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.

Technical ContextAI

This vulnerability exploits the virtio paravirtualization framework, specifically the PCI transport layer that manages I/O between guest VMs and the Firecracker VMM hypervisor. The out-of-bounds write (CWE-369: Divide By Zero mapping appears incorrect; likely CWE-787: Out-of-bounds Write based on description) occurs when a malicious guest manipulates virtio queue configuration registers after device activation. In normal operation, virtio devices follow a strict state machine where configuration occurs before activation; this flaw allows post-activation reconfiguration to write beyond allocated memory boundaries. Firecracker is Amazon's lightweight KVM-based microVM manager designed for serverless and container workloads, making VM escape vulnerabilities particularly critical in multi-tenant cloud environments. The vulnerability affects the core memory safety of the Rust-based VMM process running on the host, potentially allowing arbitrary code execution that completely breaks the VM isolation model.

RemediationAI

Upgrade immediately to Firecracker version 1.14.4 (for 1.13.x-1.14.x users) or 1.15.1 (for 1.15.0 users) or later versions. Release artifacts available at https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.4 and https://github.com/firecracker-microvm/firecracker/releases/tag/v1.15.1. No workarounds are documented; patching is the only effective mitigation. Organizations unable to patch immediately should restrict Firecracker deployments to trusted workloads only and avoid running untrusted guest kernels or snapshot configurations. Review security advisory at https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-776c-mpj7-jm3r for additional vendor guidance and impact assessment details.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-5747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy