Medium severity6.7NVD Advisory· Published Mar 30, 2026· Updated Apr 28, 2026

CVE-2026-5164

Description

A flaw was found in virtio-win. The RhelDoUnMap() function does not properly validate the number of descriptors provided by a user during an unmap request. A local user could exploit this input validation vulnerability by supplying an excessive number of descriptors, leading to a buffer overrun. This can cause a system crash, resulting in a Denial of Service (DoS).

Affected products

Red Hat/Virtio Win
cpe:2.3:a:redhat:virtio-win:-:*:*:*:*:*:*:*
Red Hat/Enterprise Linux2 versions
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/virtio-win/kvm-guest-drivers-windows/pull/1504nvdIssue TrackingPatch
access.redhat.com/security/cve/CVE-2026-5164nvdVendor Advisory
bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.436
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000