PatchSiren cyber security CVE debrief
CVE-2026-45782 cloud-hypervisor CVE debrief
CVE-2026-45782 is a high-severity vulnerability in Cloud Hypervisor, a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g., io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.
- Vendor
- cloud-hypervisor
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Cloud Hypervisor versions between 21.0 and 51.2 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a use-after-free error in the cloud-hypervisor process. A guest can exploit this vulnerability by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled. This can lead to memory corruption and potentially allow for code execution.
Defensive priority
High
Recommended defensive actions
- Upgrade to Cloud Hypervisor version 51.2 or 52.0, which patches this vulnerability.
- Review and update your Cloud Hypervisor deployment to ensure you are running a patched version.
Evidence notes
This vulnerability has been patched in Cloud Hypervisor versions 51.2 and 52.0. Users can refer to the official Cloud Hypervisor releases for more information: [ref-6](https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.2), [ref-7](https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v52.0).
Official resources
CVE-2026-45782 was published on 2026-06-10T00:16:53.267Z and modified on 2026-06-10T20:58:26.290Z.