Arbitrary Host File Exfiltration in Cloud Hypervisor by Cloud
CVE-2026-27211

9.1CRITICAL

Key Information:

Vendor

Cloud-hypervisor

Status
Cloud-hypervisor
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27211?

This vulnerability exists in Cloud Hypervisor, a Virtual Machine Monitor designed for cloud workloads, allowing malicious guests to exploit arbitrary file access. Through manipulation of the virtio-block devices backed by raw images, an attacker can overwrite the disk header using a crafted QCOW2 structure. When the virtual machine (VM) is rebooted or scanned, this can result in sensitive host file contents being exposed to the guest. The exploitation does not require management stack interaction because guest-initiated reboots automatically trigger disk scans. Systems utilizing untrusted or writable images are particularly at risk, highlighting the importance of using trusted, read-only images to mitigate this risk. The issue has been addressed in version 50.1, and users are encouraged to employ sandboxing techniques as a precaution.

Affected Version(s)

cloud-hypervisor >= 34.0, < 50.1

References

https://github.com/cloud-hypervisor/cloud-hypervisor/secu...
x_refsource_CONFIRM
https://github.com/cloud-hypervisor/cloud-hypervisor/comm...
x_refsource_MISC
https://github.com/cloud-hypervisor/cloud-hypervisor/comm...
x_refsource_MISC

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.