{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0665", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2026-01-07T12:09:11.643Z", "datePublished": "2026-02-18T20:50:03.724Z", "dateUpdated": "2026-02-18T21:27:14.216Z"}, "containers": {"cna": {"title": "Qemu-kvm: heap off-by-one in kvm xen physdevop_map_pirq", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption."}], "affected": [{"versions": [{"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "10.2.0"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm-ma", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel/qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0665", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428640", "name": "RHBZ#2428640", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-01-09T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-787: Out-of-bounds Write", "timeline": [{"lang": "en", "time": "2026-01-12T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2026-02-18T20:50:03.724Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T21:26:51.744252Z", "id": "CVE-2026-0665", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T21:27:14.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T21:26:51.744252Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T21:27:06.428Z"}}], "cna": {"title": "Qemu-kvm: heap off-by-one in kvm xen physdevop_map_pirq", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "10.2.0"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "qemu-kvm-ma", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "virt:rhel/qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-12T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-01-09T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0665", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428640", "name": "RHBZ#2428640", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2026-02-18T20:50:03.724Z"}, "x_redhatCweChain": "CWE-787: Out-of-bounds Write"}}, "cveMetadata": {"cveId": "CVE-2026-0665", "state": "PUBLISHED", "dateUpdated": "2026-02-18T21:27:14.216Z", "dateReserved": "2026-01-07T12:09:11.643Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2026-02-18T20:50:03.724Z", "assignerShortName": "fedora"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption."}, {"lang": "es", "value": "Se encontr\u00f3 un error 'off-by-one' (desbordamiento por un elemento) en el soporte de QEMU para invitados KVM Xen. Un invitado malicioso podr\u00eda aprovechar este fallo para desencadenar accesos fuera de l\u00edmite a la pila en el proceso de QEMU a trav\u00e9s de la interfaz de hiperllamada physdev de Xen emulada, lo que llevar\u00eda a una denegaci\u00f3n de servicio o a una posible corrupci\u00f3n de memoria."}], "id": "CVE-2026-0665", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "patrick@puiterwijk.org", "type": "Secondary"}]}, "published": "2026-02-18T21:16:22.633", "references": [{"source": "patrick@puiterwijk.org", "url": "https://access.redhat.com/security/cve/CVE-2026-0665"}, {"source": "patrick@puiterwijk.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428640"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}

{"bugzilla": {"description": "qemu-kvm: Heap off-by-one in KVM Xen PHYSDEVOP_map_pirq", "id": "2428640", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428640"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-125|CWE-787)", "details": ["An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption."], "name": "CVE-2026-0665", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-01-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0665\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0665"], "statement": "Xen guest support is disabled at build time in the `qemu-kvm` packages as shipped with Red Hat Enterprise Linux. Consequently, RHEL is not affected by this CVE.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T17:56:17.633207+00:00", "value": {"mitigation_remediation": ["Update the host\u2019s QEMU/KVM packages to the latest Red\u00a0Hat releases that contain the patch for CVE\u20112026\u20110665.", "If a patch is not yet available, configure the host to restrict or disable Xen physdev hypercalls for untrusted guest VMs, limiting the ability of guests to invoke this interface.", "Consider disabling Xen support in QEMU if it is not required, thereby reducing the attack surface available to guest VMs."], "summary": {"action": "Apply Patch", "impact": "Denial of Service and potential memory corruption"}, "threat_synthesis": {"affected_systems": "The affected platform is Red\u00a0Hat Enterprise\u00a0Linux across releases\u00a06,\u00a07,\u00a08,\u00a09, and\u00a010, as well as Red\u00a0Hat OpenShift Container Platform\u00a04. All hosts running the default QEMU/KVM packages for these distributions are potentially impacted.", "description_and_impact": "An off\u2011by\u2011one error in QEMU\u2019s handling of the Xen physdev hypercall kvm xen physdevop_map_pirq allows a malicious guest VM to trigger an out\u2011of\u2011bounds heap access in the QEMU process. This flaw can lead to service interruption or memory corruption, exposing the host system to downtime. The vulnerability is categorized as both an out\u2011of\u2011bounds read (CWE\u2011125) and write (CWE\u2011787), underscoring its impact on the integrity of the QEMU heap.", "risk_and_exploitability": "The CVSS base score of 6.5 denotes a medium severity assessment. EPSS indicates a very low probability of exploitation (<\u00a01\u202f%). The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly known exploits yet. The likely attack vector involves a malicious guest that issues a crafted Xen physdev hypercall; the attacker must have the ability to run a virtual machine on the host, making this a local\u2011escalation style threat in a multi\u2011tenant or virtualized environment."}}}}, "created": "2026-04-18T18:00:06.466794+00:00", "updated": "2026-04-18T18:00:06.466806+00:00", "vendors": []}