Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Firecracker 1.13.0-1.14.3, 1.15.0: Local Guest User Privilege Escalation
CVE-2026-5747
Summary
A critical issue in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 might allow a local user with administrative privileges in a virtual machine to crash the program running the virtual machine or gain control over the host machine. To fix this, update to Firecracker version 1.14.4 or 1.15.1 or later.
Original title
An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash th...
Original description
An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations.
To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-369
CWE-787
Out-of-bounds Write
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026