Description
An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations.

To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation to host code execution via out‑of‑bounds write
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write occurs in the virtio PCI transport on Firecracker when a local guest with root privileges modifies virtio queue configuration registers after device activation. The flaw can cause the VMM process to crash, resulting in denial of service, or under specific preconditions such as the use of a custom guest kernel or particular snapshot configurations may allow the guest to execute arbitrary code on the host.

Affected Systems

The vulnerability affects Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0 on both x86_64 and aarch64 architectures. Enterprise customers running these releases on AWS or other platforms are impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is less than 1%, and it is not listed in the KEV catalog. The attack is local and requires root privileges within the guest. If the special preconditions are met, host code execution is possible, leading to full system compromise. Otherwise, the most likely outcome is a VMM crash, causing denial of service for the virtual machine it hosts.

Generated by OpenCVE AI on April 20, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firecracker 1.14.4 or 1.15.1 or later
  • Avoid using custom guest kernels that may enable host code execution
  • Revert snapshot configurations that could expose the host to the flaw
  • Monitor guest activity for attempts to modify virtio queue configuration registers

Generated by OpenCVE AI on April 20, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later. An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws firecracker
Vendors & Products Aws
Aws firecracker

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
Title Out-of-bounds Write in Firecracker virtio-pci Transport
Weaknesses CWE-369
CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Aws Firecracker
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-20T17:24:32.674Z

Reserved: 2026-04-07T14:39:46.309Z

Link: CVE-2026-5747

cve-icon Vulnrichment

Updated: 2026-04-08T15:15:55.692Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T00:16:05.657

Modified: 2026-04-20T16:16:49.780

Link: CVE-2026-5747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses