CVE-2026-5747
Out-of-Bounds Write in Firecracker Virtio PCI Enables Host Crash
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | firecracker | 1.13.0 |
| amazon | firecracker | 1.14.3 |
| amazon | firecracker | 1.15.0 |
| amazon | firecracker | From 1.14.4 (inc) |
| amazon | firecracker | From 1.15.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5747 is a high-severity vulnerability in the virtio PCI transport layer of Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0. It allows a local guest user with root privileges to perform out-of-bounds writes by modifying virtio queue configuration registers after device activation.
The vulnerability arises because bounds validation on the virtio queue size is only done during initialization, so changes after activation can cause writes beyond the intended memory area. This can lead to denial of service by crashing the Firecracker VMM process or, under certain conditions such as using a custom guest kernel or specific snapshot configurations, potentially allow arbitrary code execution on the host.
Mitigation involves upgrading Firecracker to versions 1.14.4 or 1.15.1 and later, or disabling the virtio PCI transport by removing the --enable-pci flag and reverting to the legacy MMIO transport.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local guest user with root privileges to crash the Firecracker Virtual Machine Monitor (VMM) process, causing denial of service.
In more severe cases, if additional preconditions are met (such as using a custom guest kernel or specific snapshot configurations), it could allow the guest to execute arbitrary code on the host system, compromising the host's confidentiality, integrity, and availability.
Disabling the PCI transport or upgrading to patched versions mitigates these risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability exists in the virtio PCI transport layer of Firecracker when started with the --enable-pci flag. Detection involves verifying the Firecracker version and whether the PCI transport is enabled.
- Check the Firecracker version to see if it is between 1.13.0 and 1.14.3 inclusive, or exactly 1.15.0, which are vulnerable versions.
- Check if Firecracker is running with the --enable-pci flag, which enables the vulnerable virtio PCI transport.
- Monitor Firecracker VMM process logs for crashes or panics such as divide-by-zero errors, which may indicate exploitation attempts.
Suggested commands:
- To check Firecracker version: `firecracker --version`
- To check running Firecracker processes and their command line flags: `ps aux | grep firecracker`
- To review Firecracker logs for crashes or errors: `journalctl -u firecracker` or check the configured log file.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the recommended immediate steps are:
- Upgrade Firecracker to version 1.14.4, 1.15.1, or later, which contain fixes addressing this vulnerability.
- If upgrading is not immediately possible, disable the virtio PCI transport by removing the --enable-pci flag and revert to the legacy MMIO transport, which is not affected by this issue.
- Be aware that disabling PCI transport may reduce I/O throughput and increase latency.
Additionally, ensure that any forks or derivative codebases of Firecracker are also patched accordingly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5747 is a high-severity vulnerability that impacts the confidentiality, integrity, and availability of systems running affected versions of Firecracker. It allows a local guest user with root privileges to potentially execute arbitrary code on the host or cause denial of service, which could lead to unauthorized data modification or disclosure.
Such impacts on confidentiality, integrity, and availability could affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Organizations using vulnerable Firecracker versions might face increased risk of data breaches or service disruptions, potentially leading to non-compliance with these regulations.
Mitigation involves upgrading to patched Firecracker versions (1.14.4 or 1.15.1 and later) or disabling the vulnerable PCI transport feature, which helps maintain compliance by reducing the risk of exploitation.