Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse

9.1 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Description

Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.

AI Analysis

Arbitrary host file exfiltration via QCOW2 structure abuse in Cloud Hypervisor versions 34.0 through 50.0

Basic Information

ID CVE-2026-27211

Source GitHub_M

Published Feb 21, 2026 at 05:36

Affected Product

Vendor cloud-hypervisor

Product cloud-hypervisor

Version >= 34.0, < 50.1

Affected Versions cloud-hypervisor cloud-hypervisor >= 34.0, < 50.1

CWE Classification

CWE-73

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Cloud Hypervisor Project

Product Cloud Hypervisor

Version 34.0-50.0

References

{
    "lastseen": "",
    "description": "Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.",
    "published": "2026-02-21T05:36:33.169Z",
    "modified": "2026-02-21T05:36:33.169Z",
    "type": "cve",
    "title": "Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse",
    "source": "GitHub_M",
    "references": "https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1\nhttps://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0",
    "id": "CVE-2026-27211",
    "bulletinFamily": "",
    "cwe": [
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "cloud-hypervisor cloud-hypervisor >= 34.0, < 50.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cloud-hypervisor",
    "version": ">= 34.0, < 50.1",
    "vendor": "cloud-hypervisor",
    "ai_description": "Arbitrary host file exfiltration via QCOW2 structure abuse in Cloud Hypervisor versions 34.0 through 50.0",
    "ai_severity": "Critical",
    "ai_vendor": "Cloud Hypervisor Project",
    "ai_product": "Cloud Hypervisor",
    "ai_version": "34.0-50.0",
    "ai_score": 9.1
}

Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse_CVE-2026-27211