Skip to main content
CVE Vulnerability Database

CVE-2026-5164: Redhat Virtio-win DOS Vulnerability

CVE-2026-5164 is a Denial of Service flaw in Redhat Virtio-win caused by improper input validation that allows local users to crash systems. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-5164 Overview

A buffer overrun vulnerability exists in the virtio-win paravirtualized drivers for Windows guests running on KVM. The flaw resides in the RhelDoUnMap() function, which fails to validate the number of descriptors provided by a user during an unmap request. A local user inside a Windows guest can supply an excessive number of descriptors, triggering a buffer overrun in the driver. Successful exploitation crashes the system and results in a Denial of Service (DoS). The vulnerability affects Red Hat virtio-win drivers shipped with Red Hat Enterprise Linux 9.0 and 10.0 hypervisor environments. The issue is tracked under [CWE-120] (Classic Buffer Overflow).

Critical Impact

A local authenticated user can crash the guest operating system by issuing a crafted unmap request with an oversized descriptor count, causing service disruption.

Affected Products

  • Red Hat virtio-win (KVM guest drivers for Windows)
  • Red Hat Enterprise Linux 9.0
  • Red Hat Enterprise Linux 10.0

Discovery Timeline

  • 2026-03-30 - CVE-2026-5164 published to NVD
  • 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-5164

Vulnerability Analysis

The virtio-win project provides paravirtualized drivers for Microsoft Windows guests running under KVM. These drivers exchange data with the host hypervisor through virtqueues, which are arrays of descriptors describing memory buffers for I/O operations. The vulnerable RhelDoUnMap() function processes unmap requests issued by a user inside the guest. The function does not verify whether the supplied descriptor count remains within the allocated buffer bounds before iterating through descriptors. When the supplied count exceeds the expected limit, the function writes beyond the bounds of the destination buffer, corrupting adjacent memory. The resulting memory corruption destabilizes the driver and triggers a kernel-mode crash (bug check) inside the Windows guest.

Root Cause

The root cause is missing input validation on the descriptor count parameter passed to RhelDoUnMap(). The function trusts user-supplied input without bounding checks against the allocated descriptor array size. This classic buffer overflow pattern matches [CWE-120], where copy operations proceed without verifying input size against destination capacity.

Attack Vector

Exploitation requires local access with low privileges on the affected guest system. No user interaction is required, and the attack does not cross trust boundaries beyond the local guest. The impact is limited to availability, with no confidentiality or integrity compromise. The vulnerability cannot be exploited remotely or used to escape the guest virtual machine.

No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Red Hat CVE-2026-5164 Advisory and the GitHub Pull Request for Virtio Drivers for the upstream code fix.

Detection Methods for CVE-2026-5164

Indicators of Compromise

  • Unexpected Windows guest bug checks (Blue Screen of Death) referencing viostor.sys, vioscsi.sys, or other virtio-win driver modules.
  • Repeated guest crashes correlated with specific local user activity or workloads issuing unmap operations.
  • Hypervisor logs showing abnormal virtqueue activity from a guest immediately preceding a crash.

Detection Strategies

  • Monitor Windows kernel crash dumps for stack frames originating in RhelDoUnMap() or surrounding virtio driver routines.
  • Correlate guest availability events with the version of installed virtio-win drivers across the fleet.
  • Audit installed driver versions on Windows guests to identify hosts running vulnerable virtio-win builds.

Monitoring Recommendations

  • Enable Windows Error Reporting on guest systems to capture minidumps for post-crash analysis.
  • Track guest uptime metrics and alert on repeated unscheduled reboots tied to specific user sessions.
  • Centralize hypervisor and guest event logs in a SIEM to correlate crashes with privileged local activity.

How to Mitigate CVE-2026-5164

Immediate Actions Required

  • Inventory all Windows guests running on Red Hat Enterprise Linux 9.0 or 10.0 hypervisors and identify those using virtio-win drivers.
  • Apply the updated virtio-win driver package once released by Red Hat through the standard advisory channel.
  • Restrict local guest accounts to trusted users until patched drivers are deployed.

Patch Information

The upstream fix is tracked in the GitHub Pull Request for Virtio Drivers, which adds proper validation of the descriptor count inside RhelDoUnMap(). Red Hat tracks remediation under Red Hat Bug Report #2453014. Consult the Red Hat CVE-2026-5164 Advisory for the current fixed package versions for Red Hat Enterprise Linux 9.0 and 10.0.

Workarounds

  • Limit interactive and local logon rights on Windows guests to administrators and trusted service accounts.
  • Apply the principle of least privilege to applications running inside Windows guests to reduce the population of users able to issue unmap operations.
  • Snapshot critical Windows guests before driver updates to enable rapid rollback if regressions occur.
bash
# Example: list installed virtio-win driver version on a Windows guest (run in PowerShell)
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $_.DeviceName -like "*VirtIO*" } | Select-Object DeviceName, DriverVersion, DriverDate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.