PatchSiren cyber security CVE debrief
CVE-2026-48914 Red Hat CVE debrief
CVE-2026-48914 is a medium-severity vulnerability in QEMU's virtio-blk device. The device fails to properly validate the size of input descriptors before writing data, allowing a malicious guest with high privileges to submit a malformed virtio-blk SCSI request. This can lead to an out-of-bounds write in the host heap memory and potentially cause a denial of service (DoS) for the QEMU process.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of QEMU, particularly those with high-privilege guest access, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the virtio-blk device's lack of proper input descriptor size validation. A malicious guest can exploit this by submitting a malformed virtio-blk SCSI request, potentially leading to an out-of-bounds write in the host heap memory.
Defensive priority
MEDIUM
Recommended defensive actions
- Update QEMU to a version that includes a fix for this vulnerability.
- Restrict access to high-privilege guest accounts.
- Monitor QEMU process stability and host heap memory usage.
Evidence notes
The CVE record and NVD detail pages provide information on this vulnerability. [resourceLinkAnnotations:cve-org,nvd]
Official resources
CVE-2026-48914 was published on 2026-06-12T10:16:22.177Z and modified on 2026-06-12T16:06:17.027Z.