1.10.0
2.5.4
A denial-of-service (DoS) vulnerability has been identified in Virtio-win, a virtualization component. This flaw stems from insufficient input validation within the RhelDoUnMap() function, allowing a local attacker to trigger a buffer overrun. Affected versions include those from 1.0.0 through 2.5.3; the vulnerability is resolved in version 2.5.4.
Successful exploitation of CVE-2026-5164 allows a local attacker to crash the system hosting Virtio-win. The attacker can achieve this by crafting a malicious unmap request containing an excessive number of descriptors. This leads to a buffer overrun, resulting in a denial of service. While the vulnerability is local, it can disrupt critical services running within the virtualized environment, potentially impacting applications and data dependent on the affected system. The blast radius is limited to the host system, but the impact can be significant depending on the role of the virtual machine.
CVE-2026-5164 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, reflecting the local nature of the exploit and the requirement for specific knowledge of Virtio-win internals. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests that a PoC could be developed relatively easily. Active exploitation campaigns are not currently reported.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5164 is to upgrade Virtio-win to version 2.5.4 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, restricting the number of descriptors allowed in unmap requests at the hypervisor level might offer some protection. Monitor system logs for unusual patterns related to Virtio-win operations, specifically focusing on errors related to descriptor handling. After upgrading, confirm the fix by attempting a malicious unmap request with an excessive number of descriptors and verifying that the system does not crash.
Update the Virtio-win driver to version 2.5.4 or higher to mitigate the vulnerability. This update corrects the lack of descriptor number validation, thus preventing the potential buffer overflow and denial of service.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5164 is a denial-of-service vulnerability in Virtio-win affecting versions 1.0.0–2.5.3. An attacker can trigger a system crash by sending a request with too many descriptors.
You are affected if you are running Virtio-win versions 1.0.0 through 2.5.3. Upgrade to version 2.5.4 or later to mitigate the risk.
The recommended fix is to upgrade Virtio-win to version 2.5.4 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting descriptors at the hypervisor level.
Currently, there are no reports of active exploitation campaigns targeting CVE-2026-5164, but a PoC could be developed.
Refer to the relevant security advisory from the Virtio-win project or the hypervisor vendor for specific details and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.