Executive Summary

CVE-2026-5747 is a high-severity vulnerability in the virtio PCI transport layer of Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0. It allows a local guest user with root privileges to perform out-of-bounds writes by modifying virtio queue configuration registers after device activation.

The vulnerability arises because bounds validation on the virtio queue size is only done during initialization, so changes after activation can cause writes beyond the intended memory area. This can lead to denial of service by crashing the Firecracker VMM process or, under certain conditions such as using a custom guest kernel or specific snapshot configurations, potentially allow arbitrary code execution on the host.

Mitigation involves upgrading Firecracker to versions 1.14.4 or 1.15.1 and later, or disabling the virtio PCI transport by removing the --enable-pci flag and reverting to the legacy MMIO transport.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-5747 is a high-severity vulnerability that impacts the confidentiality, integrity, and availability of systems running affected versions of Firecracker. It allows a local guest user with root privileges to potentially execute arbitrary code on the host or cause denial of service, which could lead to unauthorized data modification or disclosure.

Such impacts on confidentiality, integrity, and availability could affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Organizations using vulnerable Firecracker versions might face increased risk of data breaches or service disruptions, potentially leading to non-compliance with these regulations.

Mitigation involves upgrading to patched Firecracker versions (1.14.4 or 1.15.1 and later) or disabling the vulnerable PCI transport feature, which helps maintain compliance by reducing the risk of exploitation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a local guest user with root privileges to crash the Firecracker Virtual Machine Monitor (VMM) process, causing denial of service.

In more severe cases, if additional preconditions are met (such as using a custom guest kernel or specific snapshot configurations), it could allow the guest to execute arbitrary code on the host system, compromising the host's confidentiality, integrity, and availability.

Disabling the PCI transport or upgrading to patched versions mitigates these risks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability exists in the virtio PCI transport layer of Firecracker when started with the --enable-pci flag. Detection involves verifying the Firecracker version and whether the PCI transport is enabled.

• Check the Firecracker version to see if it is between 1.13.0 and 1.14.3 inclusive, or exactly 1.15.0, which are vulnerable versions.
• Check if Firecracker is running with the --enable-pci flag, which enables the vulnerable virtio PCI transport.
• Monitor Firecracker VMM process logs for crashes or panics such as divide-by-zero errors, which may indicate exploitation attempts.

Suggested commands:

• To check Firecracker version: `firecracker --version`
• To check running Firecracker processes and their command line flags: `ps aux | grep firecracker`
• To review Firecracker logs for crashes or errors: `journalctl -u firecracker` or check the configured log file.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, the recommended immediate steps are:

• Upgrade Firecracker to version 1.14.4, 1.15.1, or later, which contain fixes addressing this vulnerability.
• If upgrading is not immediately possible, disable the virtio PCI transport by removing the --enable-pci flag and revert to the legacy MMIO transport, which is not affected by this issue.
• Be aware that disabling PCI transport may reduce I/O throughput and increase latency.

Additionally, ensure that any forks or derivative codebases of Firecracker are also patched accordingly.

Useful 0 Not Useful 0