{"id":"CVE-2026-45782","summary":"Cloud Hypervisor: Use-after-free in virtio-block Async I/O Completion","details":"Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.","aliases":["GHSA-f47p-p25q-83rh"],"modified":"2026-07-08T08:05:17.405206492Z","published":"2026-06-09T22:53:52.657Z","related":["openSUSE-SU-2026:10907-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45782.json","cwe_ids":["CWE-416"]},"references":[{"type":"WEB","url":"https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.2"},{"type":"WEB","url":"https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v52.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45782.json"},{"type":"ADVISORY","url":"https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-f47p-p25q-83rh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45782"},{"type":"FIX","url":"https://github.com/cloud-hypervisor/cloud-hypervisor/commit/1314ac883c641f1045bbb06dec0de045a3894baa"},{"type":"FIX","url":"https://github.com/cloud-hypervisor/cloud-hypervisor/pull/8220"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloud-hypervisor/cloud-hypervisor","events":[{"introduced":"95ca79974a32f3dab5987032361d0ecd2aa65512"},{"fixed":"aa208c147e3f975830d5afc0e95edcc18dc34f6a"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"21.0"},{"fixed":"51.2"}]}}],"versions":["v51.1","v51.0","v50.0","v49.0","v48.0","v47.0","v46.0","v45.0","v44.0","v43.0","v42.0","v41.0","v40.0","v39.0","v37.0","v38.0","v35.0","v36.0","v34.0","v32.0","v33.0","v30.0","v31.0","v29.0","v28.0","v27.0","v26.0","v25.0","v24.0","v23.0","v22.0","v21.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45782.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}