8.7

CVE-2026-5747

Medienbericht

Out-of-bounds Write in Firecracker virtio-pci Transport

An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations.

To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AmazonFirecracker Version >= 1.13.0 <= 1.14.3
AmazonFirecracker Version1.15.0 Update-
AmazonFirecracker Version1.15.0 Updatedev
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.108
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ff89ba41-3aa1-4d27-914a-91399e9639e5 8.7 0 0
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ff89ba41-3aa1-4d27-914a-91399e9639e5 7.5 0.8 6
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-369 Divide By Zero

The product divides a value by zero.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
20.04.2026 16:46
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.15.1
Release Notes
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.4
Release Notes
https://aws.amazon.com/security/security-bulletins/2026-015-aws/
Vendor Advisory
https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-776c-mpj7-jm3r
Vendor Advisory