CVE-2026-27211
Published: 21 February 2026
Summary
CVE-2026-27211 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Cloudhypervisor Cloud Hypervisor. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching to Cloud Hypervisor version 50.1 or later directly remediates the improper image format auto-detection that enables host file exfiltration.
Restricting Cloud Hypervisor process privileges, as recommended in the workaround, prevents access to sensitive host files even if a crafted QCOW2 header is parsed.
Prevents unauthorized information transfer via shared virtio-block backing images by enforcing controls that block guest manipulation from exposing host files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables guest-to-host escape (T1611) via crafted disk header for arbitrary host file read/exfil (T1005); directly supports priv esc from guest context (T1068).
NVD Description
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header…
more
with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Deeper analysisAI
Cloud Hypervisor, a Virtual Machine Monitor for cloud workloads, contains a vulnerability in versions 34.0 through 50.0 that enables arbitrary host file exfiltration when using virtio-block devices backed by raw images. The issue, tracked as CVE-2026-27211 and published on 2026-02-21, stems from improper handling of image format auto-detection. A malicious guest can overwrite its disk header with a crafted QCOW2 structure that points to a sensitive host path. Upon the next VM boot or disk scan, this header is parsed, causing the contents of the specified host file to be served to the guest. The vulnerability is rated CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-73 (External Control of File Name or Path).
A malicious guest can exploit this without needing interaction from the management stack, as guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Exploitation requires the backing image to be writable by the guest or sourced from an untrusted origin; deployments using only trusted, read-only images are unaffected. Successful attacks allow exfiltration of host files, constrained by the privileges of the Cloud Hypervisor process, potentially exposing sensitive data across scope from network-accessible guests.
The vulnerability has been addressed in Cloud Hypervisor version 50.1, as detailed in the project's GitHub release and related commit fixes. As a workaround, enable Landlock sandboxing and restrict process privileges and access to mitigate risks until patching is feasible.
Details
- CWE(s)