CVE-2026-27211 — External Control of File Name or Path in Cloud Hypervisor

CWE-73 — External Control of File Name or Path3 documents3 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 83.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudhypervisor Cloud Hypervisor Cloud-hypervisor Msrc Azl3 Cloud-hypervisor 48.0.246-1 ON Azure Linux 3.0 +1 more

Timeline

Latest updateFeb 10

PublishedFeb 21

Description

Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Affected Packages4 packages

▶NVDcloudhypervisor/cloud_hypervisor34.0 — 50.1

▶CVEListV5cloud-hypervisor/cloud-hypervisor>= 34.0, < 50.1

▶msrcmsrc/azl3_cloud-hypervisor_48.0.246-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_cloud-hypervisor-cvm_38.0.72.2-5_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

📋Vendor Advisories

Microsoft

Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27211 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶