Out-of-Bounds Write Vulnerability in Amazon Firecracker
CVE-2026-5747
What is CVE-2026-5747?
An out-of-bounds write vulnerability exists in the virtio PCI transport layer of Amazon Firecracker, affecting versions up to and including 1.14.3 and 1.15.0 on x86_64 and aarch64 architectures. This vulnerability can be exploited by a local guest user with root privileges, potentially allowing them to crash the Firecracker VMM process or execute arbitrary code on the host system by manipulating virtio queue configuration registers following device activation. However, successful exploitation may require specific preconditions, such as deploying a custom guest kernel or utilizing particular snapshot configurations. To mitigate this issue, it is vital to update to Firecracker versions 1.14.4 or 1.15.1 and later.
Affected Version(s)
Firecracker 1.13.0 <= 1.14.3
Firecracker 1.15.0
Firecracker 1.14.4