CVE-2026-3842
Received Received - Intake

Out-of-Bounds Write in QEMU Virtual Machine

Vulnerability report for CVE-2026-3842, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Fedora Project

Description

A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
qemu qemu-kvm *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds write flaw in QEMU. When cpu_physical_memory_map() returns a shorter length than expected, a local attacker in a guest VM can write data beyond allocated memory. This may corrupt heap objects or expose guest memory, leading to crashes, data leaks, or privilege escalation.

Impact Analysis

If exploited, this flaw could allow unauthorized access to guest memory, corrupt critical data, or crash the system. Attackers might steal sensitive information, alter system behavior, or cause denial-of-service conditions affecting virtualized environments.

Compliance Impact

This vulnerability could lead to unauthorized data access or corruption, violating confidentiality and integrity requirements in GDPR and HIPAA. Organizations using vulnerable QEMU versions may face compliance violations, legal penalties, or reputational damage due to potential data breaches.

Detection Guidance

Detection of this vulnerability requires checking for outdated QEMU or qemu-kvm versions. Inspect installed packages using commands like 'rpm -qa | grep qemu' on RPM-based systems or 'dpkg -l | grep qemu' on Debian-based systems. Compare versions against the fixed release.

Mitigation Strategies

Apply the upstream QEMU patch immediately. Update qemu-kvm to the latest fixed version. If patching is not immediately possible, restrict guest access to untrusted users and disable unnecessary components like hyperv and syndbg to reduce attack surface.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart