To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AWS | Firecracker | unaffected |
|
No data.
No data.
No data available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Apr 2026 23:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later. | |
| Title | Out-of-bounds Write in Firecracker virtio-pci Transport | |
| Weaknesses | CWE-369 CWE-787 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
MITRE
Status: PUBLISHED
Assigner: AMZN
Published:
Updated: 2026-04-07T23:20:00.805Z
Reserved: 2026-04-07T14:39:46.309Z
Link: CVE-2026-5747
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-04-08T00:16:05.657
Modified: 2026-04-08T00:16:05.657
Link: CVE-2026-5747
Redhat
No data.
OpenCVE Enrichment
No data.