CVE-2026-27211

Feb. 21, 2026, 6:17 a.m.

9.1
Critical

Description

Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.

Product(s) Impacted

Vendor Product Versions
Cloud Hypervisor
  • Cloud Hypervisor
  • 34.0-50.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-73
External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cloud_hypervisor cloud_hypervisor 34.0-50.0 / / / / / / /

References

https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43
https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41
https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648
https://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c
https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1
https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0
https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6

Tags

[email protected]
CWE-73
2026-02-21
CVE-2026-27211

CVSS Score

9.1 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Feb. 21, 2026, 6:17 a.m.
Last Modified: Feb. 21, 2026, 6:17 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.