CVE-2026-3196
Received Received - Intake
Integer Overflow in QEMU virtio-snd Device

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Fedora Project

Description
An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-3196
EUVD
EUVD-2026-38042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat qemu-kvm From 2026-03-02 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer overflow found in the virtio-snd device used by qemu-kvm. It occurs when the device improperly handles PCM_INFO requests from a guest system. A malicious guest can send out-of-bounds or excessive stream counts, which causes the host to allocate an unbounded amount of memory.

This improper handling can lead to a denial of service condition on the host system.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the host system running the virtio-snd device. A malicious guest can exploit this flaw to cause the host to allocate excessive memory, potentially exhausting system resources and disrupting normal operations.

Mitigation Strategies

This vulnerability involves an integer overflow in the virtio-snd device of qemu-kvm triggered by malicious PCM_INFO requests from a guest. To mitigate this issue, it is recommended to update qemu-kvm to a version where this vulnerability is fixed.

Since the vulnerability allows a guest to cause unbounded memory allocation leading to denial of service on the host, restricting or disabling the virtio-snd device for untrusted guests can reduce risk until a patch is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart