CVE-2026-5165
Received Received - Intake
Use-After-Free in VirtIO Block Device Causes Memory Corruption

Publication date: 2026-03-30

Last updated on: 2026-04-28

Assigner: Red Hat, Inc.

Description
A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5165
EUVD
EUVD-2026-17113
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
redhat virtio-win *
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-5165 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5165 is a use-after-free vulnerability found in the VirtIO Block (BLK) device driver within virtio-win. The flaw occurs during the device reset process, where the driver fails to properly manage memory. Specifically, when the device is reset, pending Storage Request Blocks (SRBs) are completed without fully resetting and reinitializing the device. This causes the device to reference memory that Windows has already freed, leading to memory corruption.

The vulnerability arises because the reset flow does not pause device I/O queues properly and completes requests while the device memory is still in use but freed on the Windows side. This mismatch causes a use-after-free condition, which can corrupt system memory and cause instability or unexpected behavior.

Impact Analysis

This vulnerability can allow a local attacker to corrupt system memory by exploiting the use-after-free condition during the VirtIO BLK device reset. The memory corruption can lead to system instability, crashes, or unexpected behavior, potentially affecting the reliability and security of the affected system.

Because the vulnerability involves memory corruption at a low driver level, it could be leveraged to cause denial of service or potentially escalate privileges if combined with other exploits, although the CVSS score indicates a medium severity with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate the CVE-2026-5165 vulnerability, it is important to ensure that the VirtIO BLK device reset operation is properly implemented to avoid use-after-free conditions.

  • Apply the updated VirtIO BLK driver that includes the comprehensive reimplementation of the bus reset operation, which fully resets and reinitializes the device before completing pending requests.
  • Ensure the reset flow includes pausing the StorPort adapter to halt all device I/O queues safely during reset.
  • Perform a full VirtIO device reset using `virtio_device_reset`.
  • Delete all VirtIO queues via `virtio_delete_queues`.
  • Clean up all device memory with `virtio_device_shutdown`.
  • Complete all pending Storage Request Blocks (SRBs) in the guest driver by calling `CompletePendingRequestsOnReset`.
  • Reinitialize the VirtIO device by invoking `virtio_device_initialize`, `virtio_find_queues`, and related initialization routines.
  • Resume the StorPort adapter to continue normal operation.

These steps prevent premature freeing or reuse of device memory while still referenced by the device, eliminating the memory corruption risk and improving driver stability.

Detection Guidance

The vulnerability CVE-2026-5165 is a use-after-free memory corruption issue in the VirtIO BLK device reset implementation within virtio-win, which is triggered during device reset operations. Detection involves monitoring for abnormal system behavior or crashes related to VirtIO BLK device resets.

Since the issue occurs during the reset of the VirtIO device, detection can focus on observing the reset process and memory usage patterns of the virtio-win driver, especially around the completion of Storage Request Blocks (SRBs).

There are no specific network commands or signatures provided to detect this vulnerability directly from network traffic, as it is a local memory corruption issue triggered by device reset operations.

For system-level detection, you can monitor Windows event logs for errors related to the VirtIO BLK device or StorPort driver resets, and use debugging tools to trace calls to functions like `virtio_device_reset`, `virtio_delete_queues`, and `CompletePendingRequestsOnReset`.

Suggested commands or approaches include:

  • Use Windows Event Viewer to check for device or driver errors related to VirtIO BLK or StorPort.
  • Use Windows Performance Monitor or Sysinternals tools (e.g., Process Monitor) to observe driver activity and memory usage during device resets.
  • Enable kernel debugging or use Windows Driver Verifier targeting the virtio-win driver to catch improper memory handling during reset.
  • If source code or driver debugging is possible, trace or log calls to the reset-related functions (`virtio_device_reset`, `virtio_delete_queues`, `CompletePendingRequestsOnReset`) to detect abnormal sequences or failures.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart