CVE-2026-0665 Qemu-kvm: heap off-by-one in kvm xen physdevop_map_pirq

🗓️ 18 Feb 2026 20:50:03Reported by fedoraType

Off-by-one heap error in Qemu KVM Xen support enables out-of-bounds access via physdev calls, risking memory corruption.

Reporter	Title	Published	Views	Family All 44
Circl	CVE-2026-0665	6 Feb 202614:39	–	circl
CNNVD	QEMU 安全漏洞	18 Feb 202600:00	–	cnnvd
CVE	CVE-2026-0665	18 Feb 202620:50	–	cve
Debian CVE	CVE-2026-0665	18 Feb 202620:50	–	debiancve
Oracle linux	virt:kvm_utils3 bug fix update	24 Apr 202600:00	–	oraclelinux
Oracle linux	qemu-kvm security update	24 Apr 202600:00	–	oraclelinux
NVD	CVE-2026-0665	18 Feb 202621:16	–	nvd
Tenable Nessus	openSUSE 16 Security Update : qemu (openSUSE-SU-2026:20357-1)	15 Mar 202600:00	–	nessus
Tenable Nessus	Oracle Linux 8 : virt:kvm_utils3 (ELSA-2026-50239)	27 Apr 202600:00	–	nessus
Tenable Nessus	Oracle Linux 9 : qemu-kvm (ELSA-2026-50241)	28 Apr 202600:00	–	nessus

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "10.2.0"
      }
    ],
    "packageName": "qemu",
    "collectionURL": "https://gitlab.com/qemu-project/qemu",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "qemu-kvm",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:10"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 6",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "qemu-kvm",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "qemu-kvm",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "qemu-kvm-ma",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "virt:rhel/qemu-kvm",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "qemu-kvm",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhcos",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:openshift:4"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-0665

18 Feb 2026 20:50Current

CVSS 3.16.5

EPSS0.00008

CWE-787