CVE-2026-41438
Public on 2026-06-01
Modified on 2026-06-01
Description
The vulnerability is a 16-bit integer wrap: when sizeof(*pe) + lv->name_size exceeds UINT16_MAX, the pe->size field (uint16_t) wraps, leading to memory corruption in the QEMU process.
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/2c4c582f3f179b2508ca259fda9e722adc973b40 (v11.0.1)
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/2c4c582f3f179b2508ca259fda9e722adc973b40 (v11.0.1)
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | qemu | Not Affected | ||
| Amazon Linux 2023 | qemu | Not Affected | ||
| Amazon Linux 2 - Core | qemu-kvm | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |