CVE-2026-3196
ADVISORY - debianSummary
An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.
- qemu 1:10.2.2+ds-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129605) [trixie] - qemu 1:10.0.10+ds-0+deb13u1 [bookworm] - qemu (Vulnerable code not present) [bullseye] - qemu (VirtIO sound device introduced in v8.2.0) https://lore.kernel.org/qemu-devel/20260220-virtio-snd-series-v1-0-207c4f7200a2@linaro.org/ Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c (v11.0.0-rc0) Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/d84fbf241d0322f19adfbe466c60bed5f50de262 (v10.2.2)
EPSS Score: 0.00102 (0.011)
Common Weakness Enumeration (CWE)
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-3196
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-3196
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-