CVE-2026-5747
Published: 08 April 2026
Summary
CVE-2026-5747 is a high-severity Divide By Zero (CWE-369) vulnerability in Amazon Firecracker. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5747 is an out-of-bounds write vulnerability in the virtio PCI transport component of Firecracker microVM, affecting versions 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 architectures. The issue stems from improper handling that allows modification of virtio queue configuration registers after device activation, classified under CWE-369 (Divide by Zero) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
A local attacker with root privileges inside a guest VM can exploit this vulnerability to crash the Firecracker VMM process or, under additional preconditions such as a custom guest kernel or specific snapshot configurations, potentially achieve arbitrary code execution on the host system.
Official advisories, including the AWS security bulletin and Firecracker GitHub security advisory (GHSA-776c-mpj7-jm3r), recommend upgrading to Firecracker 1.14.4 or 1.15.1 and later versions, with release notes available on GitHub detailing the fixes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19996
Vulnerability details
An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code…
more
on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in Firecracker VMM virtio allows guest root to crash VMM or achieve host ACE, directly enabling VM escape to host and exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the out-of-bounds write vulnerability in Firecracker's virtio PCI transport by patching to versions 1.14.4 or 1.15.1 and later.
Mandates validation of guest-provided inputs to virtio queue configuration registers to block invalid modifications causing out-of-bounds writes.
Implements memory safeguards such as guard pages and protections against unauthorized memory access to mitigate exploitation of the out-of-bounds write for host code execution.