CVE-2026-5747
Bulletin ID: 2026-015-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/07 15:30 PM PDT Description: Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services. We identified CVE-2026-5747, an out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 that might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. No AWS service is affected. Impacted versions: Firecracker >= 1.13.0 AND <= 1.14.3 AND 1.15.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- An out-of-bounds write issue in the virtio PCI transport may allow a local guest user to crash the Firecracker VMM process or execute arbitrary code on the host.
- Who is affected
- Local guest users with root privileges on Firecracker versions 1.13.0 through 1.14.3 and 1.15.0.
- Urgency
- Remediation is urgent due to the potential for arbitrary code execution on the host.
- Action
- Upgrade to a patched version of Firecracker.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-5747
Get an email if CVE-2026-5747 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownCVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transportaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-5747)