CVE-2026-48914
MediumCVSS 6.7Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
A flaw was found in QEMU's virtio-blk device due to improper validation of input descriptor sizes before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request.
Risk Assessment
Exploitation of this vulnerability could lead to an out-of-bounds write in the host heap memory, potentially resulting in a denial of service (DoS) for the QEMU process.
Recommendation
It is recommended to update QEMU to the latest version to patch this vulnerability and to monitor the system for potential exploitation attempts.
Original NVD description (English source)
A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.

