Description
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.
Published: 2026-06-09
Score: 8.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Cloud Hypervisor’s virtio‑block subsystem allows a guest to corrupt the hypervisor’s memory by submitting duplicate descriptor chains during asynchronous I/O. The resulting free of a bounce buffer while it is still in use can lead to arbitrary code execution or denial of service, as the corrupted memory may affect kernel data structures. This vulnerability is a classic example of the weakness described by CWE‑416.

Affected Systems

The issue is present in Cloud Hypervisor releases from version 21.0 up through just before 51.2. Versions 51.2 and 52.0 contain the fix. The affected component is the virtio‑block driver within the hypervisor.

Risk and Exploitability

The CVSS score of 8.9 denotes high severity, and while no EPSS figure is available, the lack of listing in the CISA KEV catalog suggests it may not yet be actively exploited. The attack requires a guest to orchestrate specific virtual block I/O patterns, so it is not trivially exploitable by an external actor but could be leveraged in a cloud environment where guests can be compromised. Based on the description, the likely attack vector is from within the guest to the hypervisor through virtio‑block.

Generated by OpenCVE AI on June 10, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cloud Hypervisor to version 51.2 or newer, which contains the patch for the use‑after‑free bug.
  • Disable asynchronous block I/O (io_uring, aio) on the hypervisor until the patch is deployed to prevent the use‑after‑free condition.
  • Limit guest privileges to restrict virtio‑block descriptor submission, enforcing access control policies.

Generated by OpenCVE AI on June 10, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.
Title Cloud Hypervisor: Use-after-free in virtio-block Async I/O Completion
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T22:53:52.657Z

Reserved: 2026-05-13T07:45:21.252Z

Link: CVE-2026-45782

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.267

Modified: 2026-06-10T00:16:53.267

Link: CVE-2026-45782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:00:12Z

Weaknesses