Bug 2453014 (CVE-2026-5164) - CVE-2026-5164 virtio-win: virtio-win: Denial of Service via unvalidated descriptor count in unmap request
Summary: CVE-2026-5164 virtio-win: virtio-win: Denial of Service via unvalidated descr...
Keywords:
Status: NEW
Alias: CVE-2026-5164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-30 14:44 UTC by OSIDB Bzimport
Modified: 2026-03-30 15:01 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-30 14:44:30 UTC 
adaptExt->blk_discard is limited to 16 descriptors, but RhelDoUnMap() never validates the number of descriptors it writes to the array. This is wrong for two separate reasons:

MAX_DISCARD_SEGMENTS is 256, so we may in theory even advertise support for a lot more segments than can actually fit in the array and even well behaving applications could trigger an overrun. (This is mostly theoretical because QEMU's virtio-blk implementation advertises 1 currently.)

The other reason is that BlockDescrCount is taken from a user buffer and has never been validated, so it can exceed the advertised maximum. I reproduced the problem by issuing an unmap request with 1024 descriptors and got an immediate BSOD. RhelDoUnMap() must explicitly validate the number of descriptors.

Use MAX_DISCARD_SEGMENTS as the size of adaptExt->blk_discard to make sure the advertised maximum is actually supported; advertise the full range instead of limiting to MAX_DISCARD_SEGMENTS - 1. Reduce MAX_DISCARD_SEGMENTS to 16 to avoid increasing the array size. And finally check first that the user buffer is even large enough that we can safely access blockDescrDataLength in it.
Note You need to log in before you can comment on or make changes to this bug.