CVE-2026-48914

Description

A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.

How to fix CVE-2026-48914

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/qemu—no fix listed

Is CVE-2026-48914 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48914.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.1	MEDIUM6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-48914