{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "21.0"
              },
              {
                "fixed": "51.2"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "95ca79974a32f3dab5987032361d0ecd2aa65512"
            },
            {
              "fixed": "aa208c147e3f975830d5afc0e95edcc18dc34f6a"
            }
          ],
          "repo": "https://github.com/cloud-hypervisor/cloud-hypervisor",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-f47p-p25q-83rh"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-416"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45782.json"
  },
  "details": "Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.",
  "id": "CVE-2026-45782",
  "modified": "2026-07-08T05:35:57.170752178Z",
  "published": "2026-06-09T22:53:52.657Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v52.0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45782.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-f47p-p25q-83rh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45782"
    },
    {
      "type": "FIX",
      "url": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/1314ac883c641f1045bbb06dec0de045a3894baa"
    },
    {
      "type": "FIX",
      "url": "https://github.com/cloud-hypervisor/cloud-hypervisor/pull/8220"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cloud Hypervisor: Use-after-free in virtio-block Async I/O Completion"
}