virtio-serial migration state can abort destination QEMU
Imported by the "Security Issuer Importer" bot, on behalf of the original reporter who disclosed via qemu-security list:
- From:
Feifan Qian <bea1e@proton.me> - Date:
10 May, 2026 - Message ID:
<S1C2JqVYCVSlCjAu2_nRzNfDG1piTKLBLWANMWFTes4FVQ0ucHGy42bdIoYxVNZSr2YJ2qcadHmLzW6g50lioZ0jMRsPCNIfH8b6uQ2uJcs=@proton.me>
NOTE: the original reporter can not be copied on this issue so cannot view this ticket while it remains marked confidential. If further information is needed about the disclosure, contact the reporter directly.
NOTE: this disclosure includes a report.md file which provides a markdown formatted version of the disclosure which may include more information that this bug description.
I'm writing to report a security vulnerability in QEMU's virtio-serial migration restore path. A crafted incoming migration or saved-state stream can make the destination process deserialize an attacker-controlled virtqueue element for a valid virtio-serial port and hit a reachable assertion.
The issue was confirmed on QEMU 11.0.50 (v11.0.0-759-gee7eb612be) in the x86_64 softmmu target. The affected code path is in the virtio-serial device restore logic and the shared virtqueue element deserializer used while loading VM state.
The impact is denial of service of the destination QEMU process during incoming migration or saved-state restore. The attached report rates this as CVSS v3.1 6.5 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Exploitation requires the ability to provide or influence migration/restore state for a VM configured with a matching virtio-serial controller and port.
A detailed technical report with full reproduction steps and a minimal proof of concept is attached as disclosure.zip. The proof of concept creates a legitimate migration stream, patches the virtio-console state to set elem_popped and in_num = 1025, and then restores it through QEMU's normal -incoming file path. QEMU aborts with the assertion ARRAY_SIZE(data.in_addr) >= data.in_num in qemu_get_virtqueue_element().
Please let me know if you need any additional details or would like to coordinate on a disclosure timeline. I am happy to help validate a proposed fix.