CVE-2026-3842 PUBLISHED

Qemu-kvm: hyperv/syndbg: missing mapped-length guard after cpu_physical_memory_map causes host oob write

Assigner: fedora
Reserved: 09.03.2026 Published: 16.07.2026 Updated: 16.07.2026

A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Product Status

Package Collection https://gitlab.com/qemu-project/qemu
Package Name qemu
Versions Default: unaffected
  • affected from 7.1.0 to 11.0.0 (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: unaffected

Credits

  • Red Hat would like to thank Oleh Konko (1seal) for reporting this issue.

References

Problem Types

  • Out-of-bounds Write CWE