CVE-2026-45782

Source
https://cve.org/CVERecord?id=CVE-2026-45782
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45782.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45782
Aliases
  • GHSA-f47p-p25q-83rh
Downstream
Related
Published
2026-06-09T22:53:52.657Z
Modified
2026-07-08T08:05:17.405206492Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Cloud Hypervisor: Use-after-free in virtio-block Async I/O Completion
Details

Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same headindex while asynchronous block I/O is enabled (e.g. iouring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45782.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-416"
    ]
}
References

Affected packages

Git / github.com/cloud-hypervisor/cloud-hypervisor

Affected ranges

Type
GIT
Repo
https://github.com/cloud-hypervisor/cloud-hypervisor
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "21.0"
        },
        {
            "fixed": "51.2"
        }
    ]
}

Affected versions

v21.*
v21.0
v22.*
v22.0
v23.*
v23.0
v24.*
v24.0
v25.*
v25.0
v26.*
v26.0
v27.*
v27.0
v28.*
v28.0
v29.*
v29.0
v30.*
v30.0
v31.*
v31.0
v32.*
v32.0
v33.*
v33.0
v34.*
v34.0
v35.*
v35.0
v36.*
v36.0
v37.*
v37.0
v38.*
v38.0
v39.*
v39.0
v40.*
v40.0
v41.*
v41.0
v42.*
v42.0
v43.*
v43.0
v44.*
v44.0
v45.*
v45.0
v46.*
v46.0
v47.*
v47.0
v48.*
v48.0
v49.*
v49.0
v50.*
v50.0
v51.*
v51.0
v51.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45782.json"