Description
A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730.
Problem types
Product status
8.2.0 (semver)
Timeline
| 2026-03-02: | Reported to Red Hat. |
| 2026-02-20: | Made public. |
Credits
Red Hat would like to thank DARKNAVY (DarkNavyOrg) and Mingyuan Luo for reporting this issue.
References
access.redhat.com/security/cve/CVE-2026-3195
bugzilla.redhat.com/show_bug.cgi?id=2443817 (RHBZ#2443817)