CVE-2026-48914 - Vulnerability Details

- Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling

Description

A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.

Published: 2026-06-12

Score: 6.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in QEMU’s virtio‑blk device allows a guest with high privileges to send a malformed SCSI request that bypasses input descriptor size validation. The resulting out‑of‑bounds write corrupts host heap memory and can crash the QEMU process. This crash renders the host unable to manage affected virtual machines, effectively causing a denial of service for services running on that host.

Affected Systems

Affected products include Red Hat Enterprise Linux 6 through 10, Red Hat Enterprise Linux for NVIDIA 26, and Red Hat OpenShift Container Platform 4. The vulnerability resides in the QEMU component bundled with these distributions and any system running the virtio‑blk device in QEMU.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting limited external exploitation. The attack requires a guest with high privileges, making the threat primarily internal or confined to trusted virtual environments. Nonetheless, the ability to crash QEMU can disrupt host services and compromise availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`1.1.0`	affected	≤ 11.0.1

Red Hat Red Hat Enterprise Linux 10 affected —

Red Hat Red Hat Enterprise Linux 6 affected —

Red Hat Red Hat Enterprise Linux 7 affected —

Red Hat Red Hat Enterprise Linux 8 affected —

Red Hat Red Hat Enterprise Linux 9 affected —

Red Hat Red Hat Enterprise Linux for NVIDIA 26 affected —

Red Hat Red Hat OpenShift Container Platform 4 affected —

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Red Hat security update that fixes the virtio‑blk size‑validation bug in QEMU (track the latest errata for your distribution, e.g., RHEL 9+, RHEL NVIDIA, or OpenShift 4).
If an update cannot be applied immediately, remove or disable the virtio‑blk device from the VM’s configuration to eliminate the vulnerable code path.
Enforce least‑privilege for guests by restricting privileged guest access and limiting the SCSI command set that can reach virtio‑blk.

Generated by OpenCVE AI on June 12, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-48914
https://bugzilla.redhat.com/show_bug.cgi?id=2488283
https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/

History

Fri, 12 Jun 2026 10:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.
Title		Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling
First Time appeared		Redhat Redhat enterprise Linux Redhat enterprise Linux Nvidia Redhat openshift
Weaknesses		CWE-122
CPEs		cpe:/a:redhat:enterprise_linux_nvidia: cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat enterprise Linux Nvidia Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2026-48914 https://bugzilla.redhat.com/show_bug.cgi?id=2488283 https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/
Metrics		cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H'}`

Subscriptions

Redhat Enterprise Linux Enterprise Linux Nvidia Openshift

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-12T09:42:36.313Z

Updated: 2026-06-12T10:13:26.042Z

Reserved: 2026-05-26T12:51:11.502Z

Link: CVE-2026-48914

Vulnrichment

Updated: 2026-06-12T09:57:47.176Z

NVD

Status : Awaiting Analysis

Published: 2026-06-12T10:16:22.177

Modified: 2026-06-12T16:06:17.027

Link: CVE-2026-48914

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T11:30:25Z

Weaknesses

CWE-122
Heap-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object