CVE-2026-5165
Use-After-Free in VirtIO Block Device Causes Memory Corruption
Publication date: 2026-03-30
Last updated on: 2026-04-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | virtio-win | * |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5165 is a use-after-free vulnerability found in the VirtIO Block (BLK) device driver within virtio-win. The flaw occurs during the device reset process, where the driver fails to properly manage memory. Specifically, when the device is reset, pending Storage Request Blocks (SRBs) are completed without fully resetting and reinitializing the device. This causes the device to reference memory that Windows has already freed, leading to memory corruption.
The vulnerability arises because the reset flow does not pause device I/O queues properly and completes requests while the device memory is still in use but freed on the Windows side. This mismatch causes a use-after-free condition, which can corrupt system memory and cause instability or unexpected behavior.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to corrupt system memory by exploiting the use-after-free condition during the VirtIO BLK device reset. The memory corruption can lead to system instability, crashes, or unexpected behavior, potentially affecting the reliability and security of the affected system.
Because the vulnerability involves memory corruption at a low driver level, it could be leveraged to cause denial of service or potentially escalate privileges if combined with other exploits, although the CVSS score indicates a medium severity with high impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5165 vulnerability, it is important to ensure that the VirtIO BLK device reset operation is properly implemented to avoid use-after-free conditions.
- Apply the updated VirtIO BLK driver that includes the comprehensive reimplementation of the bus reset operation, which fully resets and reinitializes the device before completing pending requests.
- Ensure the reset flow includes pausing the StorPort adapter to halt all device I/O queues safely during reset.
- Perform a full VirtIO device reset using `virtio_device_reset`.
- Delete all VirtIO queues via `virtio_delete_queues`.
- Clean up all device memory with `virtio_device_shutdown`.
- Complete all pending Storage Request Blocks (SRBs) in the guest driver by calling `CompletePendingRequestsOnReset`.
- Reinitialize the VirtIO device by invoking `virtio_device_initialize`, `virtio_find_queues`, and related initialization routines.
- Resume the StorPort adapter to continue normal operation.
These steps prevent premature freeing or reuse of device memory while still referenced by the device, eliminating the memory corruption risk and improving driver stability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability CVE-2026-5165 is a use-after-free memory corruption issue in the VirtIO BLK device reset implementation within virtio-win, which is triggered during device reset operations. Detection involves monitoring for abnormal system behavior or crashes related to VirtIO BLK device resets.
Since the issue occurs during the reset of the VirtIO device, detection can focus on observing the reset process and memory usage patterns of the virtio-win driver, especially around the completion of Storage Request Blocks (SRBs).
There are no specific network commands or signatures provided to detect this vulnerability directly from network traffic, as it is a local memory corruption issue triggered by device reset operations.
For system-level detection, you can monitor Windows event logs for errors related to the VirtIO BLK device or StorPort driver resets, and use debugging tools to trace calls to functions like `virtio_device_reset`, `virtio_delete_queues`, and `CompletePendingRequestsOnReset`.
Suggested commands or approaches include:
- Use Windows Event Viewer to check for device or driver errors related to VirtIO BLK or StorPort.
- Use Windows Performance Monitor or Sysinternals tools (e.g., Process Monitor) to observe driver activity and memory usage during device resets.
- Enable kernel debugging or use Windows Driver Verifier targeting the virtio-win driver to catch improper memory handling during reset.
- If source code or driver debugging is possible, trace or log calls to the reset-related functions (`virtio_device_reset`, `virtio_delete_queues`, `CompletePendingRequestsOnReset`) to detect abnormal sequences or failures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-5165 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.