CVE-2026-2243 — Out-of-bounds Read in Qemu

CWE-125 — Out-of-bounds Read9 documents9 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 95.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Msrc Azl3 Qemu 8.2.0-27 ON Azure Linux 3.0 +1 more

Timeline

PublishedFeb 19

Latest updateApr 9

Description

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 2.5 | Impact: 2.5

Affected Packages4 packages

▶debiandebian/qemu< qemu 1:10.2.2+ds-1 (forky)

▶Debianqemu/qemu< 1:10.2.2+ds-1

▶msrcmsrc/azl3_qemu_8.2.0-27_on_azure_linux_3.0

▶msrcmsrc/cbl2_qemu_6.2.0-26_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2026-2243: A flaw was found in QEMU↗2026-02-19

▶

GHSA

GHSA-cw9w-w7fx-35q6: A flaw was found in QEMU↗2026-02-19

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2026-04-09

▶

Red Hat

qemu-kvm: Heap buffer out-of-bounds read in VMDK compressed grain parsing↗2026-02-10

▶

Microsoft

Qemu-kvm: heap buffer out-of-bounds read in vmdk compressed grain parsing↗2026-02-10

▶

Debian

CVE-2026-2243: qemu - A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2243 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-2243 qemu-kvm: Heap buffer out-of-bounds read in VMDK compressed grain parsing↗2026-02-19

▶