Executive Summary

CVE-2026-5164 is a buffer overrun vulnerability in the virtio-win viostor driver's unmap functionality, specifically in the RhelDoUnMap() function. This function processes unmap requests by handling block discard descriptors. The vulnerability arises because RhelDoUnMap() does not properly validate the number of descriptors provided by a user, allowing an excessive number of descriptors to be written into a fixed-size array.

The adaptExt->blk_discard array, which stores discard descriptors, is limited to 16 entries, but the driver advertised support for up to 256 discard segments. Since the descriptor count (BlockDescrCount) is taken directly from user input without validation, a malicious user can supply a very large number of descriptors (e.g., 1024), causing a buffer overrun.

This buffer overrun can lead to a system crash, resulting in a Denial of Service (DoS). The vulnerability was fixed by adding explicit validation of the descriptor count, synchronizing array sizes with advertised limits, reducing the maximum discard segments to 16, and isolating per-request discard data to prevent concurrency issues.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-5164 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by a local user to cause a buffer overrun in the virtio-win viostor driver, leading to a system crash (Blue Screen of Death).

The impact is a Denial of Service (DoS), where the affected system becomes unavailable or unstable due to the crash triggered by malicious or malformed unmap requests containing excessive discard descriptors.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a buffer overrun in the virtio-win viostor driver's RhelDoUnMap() function when processing unmap requests with an excessive number of descriptors. Detection would involve monitoring for system crashes (BSOD) related to the viostor driver or unusual unmap requests with descriptor counts exceeding safe limits.

Since the issue is triggered by local user input causing a buffer overrun, detection can include checking system logs for crashes related to the viostor driver and monitoring for abnormal unmap requests.

No specific detection commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the patch that validates the number of descriptors in unmap requests within the RhelDoUnMap() function.

• Ensure that the driver version includes the fix which reduces MAX_DISCARD_SEGMENTS from 256 to 16 and synchronizes the blk_discard array size accordingly.
• Verify that the driver performs explicit validation of the BlockDescrCount against the maximum allowed segments.
• Confirm that the user buffer size is checked before accessing discard descriptor data to prevent out-of-bounds reads.

These steps prevent buffer overruns and system crashes caused by malicious or malformed unmap requests.

Useful 0 Not Useful 0