Skip to main content

QEMU EUVDEUVD-2026-44840

| CVE-2026-3842 HIGH
Out-of-bounds Write (CWE-787)
2026-07-16 fedora GHSA-6mwr-p34x-55cv
7.8
CVSS 3.1 · Vendor: fedora
Share

Severity by source

Vendor (fedora) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker needs guest code execution (AV:L, PR:L) via a low-complexity emulation path with no user interaction, yielding high C/I/A from host-process heap corruption; scope kept U per the description's focus on QEMU/guest memory.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (fedora).

CVSS VectorVendor: fedora

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 01:13 vuln.today
CVE Published
Jul 16, 2026 - 00:20 cve.org
HIGH 7.8

DescriptionCVE.org

A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service.

AnalysisAI

Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain code execution inside guest VM
Delivery
Invoke emulated device DMA path
Exploit
cpu_physical_memory_map returns short buffer
Execution
Write past mapped region
Persist
Corrupt adjacent QEMU heap objects
Impact
Disclose memory or crash host process

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have code execution inside a guest VM running under vulnerable QEMU (PR:L, local guest context) and the ability to reach the emulation path that calls cpu_physical_memory_map() with a request that returns a shortened mapping - typically an emulated device or DMA operation whose length crosses a memory-region boundary. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.8) describes a low-complexity, low-privilege, local attack with high impact to all three properties - consistent with a guest-side memory-corruption primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised tenant with code execution inside a guest VM drives an emulated device operation that triggers a memory map where cpu_physical_memory_map() returns a short length, then forces the emulator to write past that buffer into adjacent QEMU heap objects. By grooming the host heap, the attacker corrupts a neighboring structure to leak memory or crash the VM process; no public POC is identified at time of analysis, and the low attack complexity means a working exploit would likely be reliable once developed.
Remediation Apply the QEMU package updates from your distribution as the primary fix: Ubuntu via USN-8161-1 (https://ubuntu.com/security/notices/USN-8161-1), SUSE via the referenced SUSE-SU-2026 advisories (for example https://www.suse.com/support/update/SUSE-SU-2026:21883/), and Red Hat per its errata linked from https://access.redhat.com/security/cve/CVE-2026-3842 for RHEL 6-10 and OpenShift Container Platform 4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all QEMU hypervisor hosts in production and identify their Linux distribution (Red Hat, Ubuntu, SUSE, or Debian) to determine patch availability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

Ubuntu

Priority: Medium
qemu
Release Status Version
resolute needed -
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream needs-triage -
jammy not-affected code not present
noble released 1:8.2.2+ds-0ubuntu1.16
questing released 1:10.1.0+ds-5ubuntu2.6

Debian

qemu
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1:5.2+dfsg-11+deb11u5 -
bookworm vulnerable 1:7.2+dfsg-7+deb12u18 -
bookworm (security) vulnerable 1:7.2+dfsg-7+deb12u15 -
trixie fixed 1:10.0.10+ds-0+deb13u1 -
trixie (security) vulnerable 1:10.0.2+ds-2+deb13u1 -
forky, sid fixed 1:11.0.2+ds-2 -
(unstable) fixed 1:10.2.2+ds-1 -

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.161 Container suse/sl-micro/6.1/kvm-os-container:2.2.0-3.3 Affected
Container suse/sle-micro/kvm-5.5:2.0.4-3.5.543 Affected
Image SLES15-SP6-EC2-ECS-HVM Affected
Image SLES15-SP7-EC2-ECS-HVM Affected

Share

EUVD-2026-44840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy