Out-of-Bounds Write Vulnerability in QEMU Affects Virtual Machine Security
CVE-2026-3842

7.8HIGH

Key Information:

What is CVE-2026-3842?

A flaw in QEMU has been identified that enables a local attacker operating within a guest virtual machine to write beyond its allocated memory boundaries. This scenario arises when the function cpu_physical_memory_map() returns a shorter length than expected, potentially leading to an out-of-bounds write. If exploited successfully, this vulnerability could grant unauthorized access to guest memory, permit corruption of heap-allocated objects, and raise serious concerns regarding information disclosure and data integrity, in addition to potentially causing denial of service.

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Oleh Konko (1seal) for reporting this issue.
.