CVE-2026-5747 Out-of-bounds Write in Firecracker virtio-pci Transport

🗓️ 07 Apr 2026 23:17:23Reported by AMZNType

Out-of-bounds write in virtio-pci transport may crash the VMM or enable host code execution under preconditions; upgrade Firecracker to 1.14.4 or 1.15.1.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2026-5747	7 Apr 202623:17	–	attackerkb
AlpineLinux	CVE-2026-5747	7 Apr 202623:17	–	alpinelinux
Circl	CVE-2026-5747	7 Apr 202615:16	–	circl
CNNVD	Amazon Firecracker 安全漏洞	8 Apr 202600:00	–	cnnvd
CVE	CVE-2026-5747	7 Apr 202623:17	–	cve
EUVD	EUVD-2026-19996	7 Apr 202623:17	–	euvd
Hacker One	AWS VDP: Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability	15 May 202616:29	–	hackerone
NVD	CVE-2026-5747	8 Apr 202600:16	–	nvd
OSV	OPENSUSE-SU-2026:10561-1 firecracker-1.15.1-1.1 on GA media	16 Apr 202600:00	–	osv
Positive Technologies	PT-2026-31052	7 Apr 202600:00	–	ptsecurity

[
  {
    "vendor": "AWS",
    "product": "Firecracker",
    "versions": [
      {
        "status": "affected",
        "version": "1.13.0",
        "lessThanOrEqual": "1.14.3",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.15.0"
      },
      {
        "status": "unaffected",
        "version": "1.14.4"
      },
      {
        "status": "unaffected",
        "version": "1.15.1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
github	www.github.com/firecracker-microvm/firecracker/releases/tag/v1.14.4
github	www.github.com/firecracker-microvm/firecracker/releases/tag/v1.15.1
aws	www.aws.amazon.com/security/security-bulletins/2026-015-aws/
github	www.github.com/firecracker-microvm/firecracker/security/advisories/GHSA-776c-mpj7-jm3r

20 Apr 2026 17:24Current

CVSS 3.17.5

CVSS 48.7

EPSS0.00008