Platform
linux
Component
virtio-win
Fixed in
1.10.0
2.5.4
CVE-2026-5165 describes a use-after-free vulnerability discovered in Virtio-win, specifically within the VirtIO Block (BLK) device. This flaw arises during a device reset when memory is not properly managed, potentially leading to system instability or unexpected behavior. The vulnerability affects versions 1.0.0 through 2.5.3 of Virtio-win, and a patch is available in version 2.5.4.
Successful exploitation of CVE-2026-5165 allows a local attacker to corrupt system memory. This corruption can manifest as system crashes, unexpected application behavior, or potentially even arbitrary code execution, depending on the memory region affected. The attack requires local access to the system running Virtio-win, meaning it's not a remotely exploitable vulnerability in its initial form. However, if combined with other vulnerabilities or privilege escalation techniques, the impact could be significantly broadened. The use-after-free nature of the vulnerability suggests a potential for complex exploitation scenarios, similar to those seen in other memory corruption vulnerabilities.
CVE-2026-5165 was publicly disclosed on 2026-03-30. The vulnerability's impact is limited to local access, reducing the immediate risk of widespread exploitation. There are currently no publicly available proof-of-concept exploits. The EPSS score is likely to be low to medium, reflecting the local access requirement and lack of public exploits. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5165 is to upgrade Virtio-win to version 2.5.4 or later. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider temporarily disabling the VirtIO Block device if it's not essential for the system's operation. While a direct WAF rule is unlikely to be effective against this type of memory corruption vulnerability, monitoring system logs for unusual memory access patterns or crashes related to Virtio-win can provide early warning signs of potential exploitation. After upgrading, confirm the fix by verifying the Virtio-win version using modinfo virtio_win on Linux systems.
Update the Virtio-win driver to version 2.5.4 or higher to mitigate the memory corruption vulnerability. The update corrects the improper memory handling during the VirtIO Block (BLK) device reset process, preventing the use of memory after it has been freed. Refer to Red Hat sources for specific installation instructions for your Red Hat Enterprise Linux distribution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5165 is a use-after-free vulnerability in Virtio-win versions 1.0.0–2.5.3. A device reset triggers memory mismanagement, potentially leading to system instability.
You are affected if you are running Virtio-win versions 1.0.0 through 2.5.3 and have not upgraded. Check your version using modinfo virtio_win.
Upgrade Virtio-win to version 2.5.4 or later. If immediate upgrade is not possible, consider temporarily disabling the VirtIO Block device.
There are currently no publicly available proof-of-concept exploits, and no confirmed active exploitation campaigns.
Refer to the relevant security advisory from the Virtio-win project or your virtualization platform vendor for specific details and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.