Description
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Published: 2026-02-21
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Host File Exfiltration
Action: Patch Immediately
AI Analysis

Impact

An attacker running a malicious virtual machine can manipulate the QCOW2 disk header to point to a file on the host system. When the host VM image is later read by the hypervisor during boot or a disk scan, the host file’s contents are delivered to the guest, effectively allowing the guest to retrieve any file the hypervisor process can access. The vulnerability is an example of CWE‑73, where a file path is derived from untrusted user input allowing directory traversal or arbitrary file access. The impact is therefore data exfiltration from the host to the guest, potentially exposing sensitive files such as configuration or credential stores, limited by the host process file permissions.

Affected Systems

The issue affects Cloud Hypervisor versions 34.0 through 50.0 when virtio‑block devices use raw image files. Only images that are writable by the guest or derived from an untrusted source enable the attack. Trusted, read‑only images are not vulnerable. The vulnerability was identified by the Cloud Hypervisor project and addressed in version 50.1.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating severe risk, but the EPSS score is less than 1 %, suggesting low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. The attack can be performed with a single boot or reboot of the guest VM, without interacting with the management stack, and the Cloud Hypervisor process does not terminate upon triggering. Thus, the attack vector is a guest‑initiated operation exploiting file path dependencies in the hypervisor’s image processing logic.

Generated by OpenCVE AI on April 17, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cloud Hypervisor to version 50.1 or later, which contains the patch for this flaw.
  • Enable land lock sandboxing in the hypervisor configuration to isolate guest processes and limit file system access.
  • Ensure that guest disk images are either read‑only or sourced from trusted, validated origins, and that the images are not writable by the guest.

Generated by OpenCVE AI on April 17, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudhypervisor:cloud_hypervisor:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cloudhypervisor
Cloudhypervisor cloud Hypervisor
Vendors & Products Cloudhypervisor
Cloudhypervisor cloud Hypervisor

Sat, 21 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Title Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse
Weaknesses CWE-73
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Cloudhypervisor Cloud Hypervisor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:17:44.674Z

Reserved: 2026-02-18T19:47:02.156Z

Link: CVE-2026-27211

cve-icon Vulnrichment

Updated: 2026-02-25T21:17:40.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T06:17:01.253

Modified: 2026-02-24T17:08:14.463

Link: CVE-2026-27211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses