CVE-2026-5164
Buffer Overflow in virtio-win's RhelDoUnMap Causes DoS
Publication date: 2026-03-30
Last updated on: 2026-04-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | virtio-win | * |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-5164 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5164 is a buffer overrun vulnerability in the virtio-win viostor driver's unmap functionality, specifically in the RhelDoUnMap() function. This function processes unmap requests by handling block discard descriptors. The vulnerability arises because RhelDoUnMap() does not properly validate the number of descriptors provided by a user, allowing an excessive number of descriptors to be written into a fixed-size array.
The adaptExt->blk_discard array, which stores discard descriptors, is limited to 16 entries, but the driver advertised support for up to 256 discard segments. Since the descriptor count (BlockDescrCount) is taken directly from user input without validation, a malicious user can supply a very large number of descriptors (e.g., 1024), causing a buffer overrun.
This buffer overrun can lead to a system crash, resulting in a Denial of Service (DoS). The vulnerability was fixed by adding explicit validation of the descriptor count, synchronizing array sizes with advertised limits, reducing the maximum discard segments to 16, and isolating per-request discard data to prevent concurrency issues.
How can this vulnerability impact me? :
This vulnerability can be exploited by a local user to cause a buffer overrun in the virtio-win viostor driver, leading to a system crash (Blue Screen of Death).
The impact is a Denial of Service (DoS), where the affected system becomes unavailable or unstable due to the crash triggered by malicious or malformed unmap requests containing excessive discard descriptors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a buffer overrun in the virtio-win viostor driver's RhelDoUnMap() function when processing unmap requests with an excessive number of descriptors. Detection would involve monitoring for system crashes (BSOD) related to the viostor driver or unusual unmap requests with descriptor counts exceeding safe limits.
Since the issue is triggered by local user input causing a buffer overrun, detection can include checking system logs for crashes related to the viostor driver and monitoring for abnormal unmap requests.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that validates the number of descriptors in unmap requests within the RhelDoUnMap() function.
- Ensure that the driver version includes the fix which reduces MAX_DISCARD_SEGMENTS from 256 to 16 and synchronizes the blk_discard array size accordingly.
- Verify that the driver performs explicit validation of the BlockDescrCount against the maximum allowed segments.
- Confirm that the user buffer size is checked before accessing discard descriptor data to prevent out-of-bounds reads.
These steps prevent buffer overruns and system crashes caused by malicious or malformed unmap requests.