CVE-2026-27211
CVE-2026-27211 is a critical-severity vulnerability in Cloudhypervisor Cloud Hypervisor with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-73.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v4: 9.1
- EPSS exploit prediction: 0% (39th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-7729
- Weakness: CWE-73
- Affected product: Cloudhypervisor Cloud Hypervisor
- Published:
- Last modified:
Description
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Frequently asked questions
- What is CVE-2026-27211?
- Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
- How severe is CVE-2026-27211?
- CVE-2026-27211 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-27211 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (39th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-27211?
- CVE-2026-27211 affects Cloudhypervisor Cloud Hypervisor. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-27211?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-27211 have an EU (EUVD) identifier?
- Yes. CVE-2026-27211 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-7729.
- When was CVE-2026-27211 published?
- CVE-2026-27211 was published on 2026-02-21 and last updated on 2026-06-17.
References
- https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43
- https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41
- https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648
- https://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c
- https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1
- https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0
- https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6
Affected products (1)
- cpe:2.3:a:cloudhypervisor:cloud_hypervisor:*:*:*:*:*:rust:*:*
More vulnerabilities in Cloudhypervisor Cloud Hypervisor
- CVE-2023-30612 — Medium (CVSS 4.0): Cloud hypervisor is a Virtual Machine Monitor for Cloud workloads. This vulnerability allows users to close arbitrary…
All CVEs affecting Cloudhypervisor Cloud Hypervisor →
Other CWE-73 vulnerabilities
- CVE-2025-71338 — Critical (CVSS 10.0): Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows…
- CVE-2026-39907 — Critical (CVSS 10.0): Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on…
- CVE-2025-71334 — Critical (CVSS 9.8): Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to…
- CVE-2025-71333 — Critical (CVSS 9.8): Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments…
- CVE-2026-39006 — Critical (CVSS 9.8): An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath…
- CVE-2026-11526 — Critical (CVSS 9.8): GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments…