{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T21:29:22.456","vulnerabilities":[{"cve":{"id":"CVE-2026-27211","sourceIdentifier":"security-advisories@github.com","published":"2026-02-21T06:17:01.253","lastModified":"2026-02-24T17:08:14.463","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access."},{"lang":"es","value":"Cloud Hypervisor es un Monitor de Máquina Virtual para cargas de trabajo en la nube. Las versiones 34.0 a 50.0 son vulnerables a la exfiltración arbitraria de archivos del host (limitada por los privilegios del proceso) al usar dispositivos virtio-block respaldados por imágenes raw. Un invitado malicioso puede sobrescribir su encabezado de disco con una estructura QCOW2 manipulada que apunta a una ruta sensible del host. Tras el siguiente arranque de la máquina virtual o escaneo de disco, la autodetección del formato de imagen analiza este encabezado y entrega el contenido del archivo del host al invitado. Los reinicios de la máquina virtual iniciados por el invitado son suficientes para activar un escaneo de disco y no provocan la salida del proceso de Cloud Hypervisor. Por lo tanto, una única máquina virtual puede realizar este ataque sin necesidad de interacción de la pila de gestión. La explotación exitosa requiere que la imagen de respaldo sea escribible por el invitado o que provenga de un origen no confiable. Las implementaciones que utilizan solo imágenes de confianza y de solo lectura no se ven afectadas. Este problema ha sido solucionado en la versión 50.1. Para una solución alternativa, habilite el sandboxing de land lock y restrinja los privilegios y el acceso del proceso."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cloudhypervisor:cloud_hypervisor:*:*:*:*:*:rust:*:*","versionStartIncluding":"34.0","versionEndExcluding":"50.1","matchCriteriaId":"DE7082B0-CAF7-4360-9514-D81B0372765D"}]}]}],"references":[{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}