2488283 – (CVE-2026-48914) CVE-2026-48914 qemu-kvm: Heap buffer overflow in virtio-blk SCSI request handling

Bug 2488283 (CVE-2026-48914) - CVE-2026-48914 qemu-kvm: Heap buffer overflow in virtio-blk SCSI request handling

Summary: CVE-2026-48914 qemu-kvm: Heap buffer overflow in virtio-blk SCSI request hand...

Keywords:
Status:	NEW
Alias:	CVE-2026-48914
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488291 2488292
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 09:22 UTC by OSIDB Bzimport
Modified:	2026-06-12 12:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 09:22:24 UTC

QEMU's virtio-blk device can write past the end of a heap-allocated MMIO bounce buffer while handling a crafted `VIRTIO_BLK_T_SCSI_CMD` request. A malicious guest that can program virtio-blk request descriptors can make the second-to-last writable input descriptor point to an MMIO guest physical address with a length of only 1 byte. QEMU maps that descriptor through an exact-size heap bounce buffer, then `virtio_blk_handle_scsi()` writes the 4-byte `virtio_scsi_inhdr.errors` field without first checking that the descriptor is large enough. A malicious guest can cause an out-of-bounds host heap write in the QEMU process by submitting a malformed virtio-blk SCSI request.

Comment 3 Mauro Matteo Cascella 2026-06-12 09:36:56 UTC

Upstream patch:
https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/

Note You need to log in before you can comment on or make changes to this bug.