CVE Catalog

CVE-2026-48914

MediumCVSS 6.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

1th percentile — higher than 1% of all known CVEs

Summary

A flaw was found in QEMU's virtio-blk device due to improper validation of input descriptor sizes before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request.

Risk Assessment

Exploitation of this vulnerability could lead to an out-of-bounds write in the host heap memory, potentially resulting in a denial of service (DoS) for the QEMU process.

Recommendation

It is recommended to update QEMU to the latest version to patch this vulnerability and to monitor the system for potential exploitation attempts.

Original NVD description (English source)

A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS