CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
Bulletin ID: 2026-015-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/07 15:30 PM PDT Description: Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services. We identified CVE-2026-5747, an out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 that might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. No AWS service is affected. Impacted versions: Firecracker >= 1.13.0 AND <= 1.14.3 AND 1.15.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- An out-of-bounds write issue in the virtio PCI transport may allow a local guest user to crash the Firecracker VMM process or execute arbitrary code on the host.
- Who is affected
- Local guest users with root privileges on Firecracker versions 1.13.0 through 1.14.3 and 1.15.0.
- Urgency
- Remediation is urgent due to the potential for arbitrary code execution on the host.
- Action
- Upgrade to a patched version of Firecracker.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Firecracker
Get an email when a new Firecracker advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-015-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-57470.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-5747 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - Out-of-bounds Write
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalCVE-2026-14480: OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy …nvd · 2026-07-10
- unknownCVE-2026-48127: Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without…nvd · 2026-07-10
- unknownCVE-2026-57217: RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.21, 4.1.11, and 4.2.6, Rab…nvd · 2026-07-10
- unknownCVE-2026-45203: Kernel software installed and running inside a Host VM may post improper commands to the GPU F…nvd · 2026-07-10
- unknownCVE-2026-41154: Software installed and run as a non-privileged user may cause OOB kernel memory reads or write…nvd · 2026-07-10
- unknownCVE-2026-55452: Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stor…nvd · 2026-07-10
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01