Your message dated Sat, 04 Jul 2026 16:32:07 +0000
with message-id <[email protected]>
and subject line Bug#1139923: fixed in qemu 1:10.0.11+ds-0+deb13u1
has caused the Debian Bug report #1139923,
regarding qemu: CVE-2026-48914: virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD 
size check
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139923
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:11.0.1+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for qemu.

CVE-2026-48914[0]:
| A flaw was found in QEMU's virtio-blk device. The issue arises
| because the device does not properly validate the size of input
| descriptors before writing data. A malicious guest with high
| privileges could exploit this vulnerability by submitting a
| malformed virtio-blk SCSI request, leading to an out-of-bounds write
| in the host heap memory and a potential denial of service (DoS) for
| the QEMU process.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48914
    https://www.cve.org/CVERecord?id=CVE-2026-48914
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2488283
[2] 
https://gitlab.com/qemu-project/qemu/-/commit/aeea0c2804c42f24915467a1e4c70e649e39b8e0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.0.11+ds-0+deb13u1
Done: Michael Tokarev <[email protected]>

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2026 08:33:17 +0300
Source: qemu
Architecture: source
Version: 1:10.0.11+ds-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1139923
Changes:
 qemu (1:10.0.11+ds-0+deb13u1) trixie; urgency=medium
 .
   * new upstream stable/bugfix release:
    - Update version for 10.0.11 release
    - linux-user: Fix AT_PHDR when program headers are relocated into their own 
segment
    - hw/pci: Replace assert with bounds check and return
    - ppc/pnv_phb3: Error out on invalid config access
    - linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn
    - linux-user/xtensa: save/restore FP registers across signal delivery
    - target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status
    - ui/sdl2: Set GL ES profile before creating initial GL context
    - hw/9pfs: reject . and .. in Twstat rename
    - hw/9pfs: fix abort due to illegal name with Twstat rename
    - gdbstub: Update x86 control register bits
    - target/i386: apply mod to immediate count of an RCL/RCR operation
    - hw/uefi: fix parse_hexstr
      (Closes: CVE-2026-48915)
    - target/riscv: mask vxrm csrw write to the low 2 bits
    - disas/riscv.c: fix inst_length()
    - target/riscv/cpu_helper.c: add PMA access fault
    - target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val
    - target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers
    - disas/riscv.c: add 'cbo' insns to disassembler
    - target/riscv/csr.c: fix mstatus.UXL reserved value
    - target/riscv/csr.c: do not allow mstatus MPV/GVA writes
    - target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault
    - virtio: Allow to fill a whole virtqueue in order
    - libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
      (Closes: CVE-2026-6425)
    - libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
      (Closes: CVE-2026-6425)
    - tests/qtest: Add amd-iommu command buffer head wrap test
    - amd_iommu: Update command buffer head ptr in MMIO region after wraparound
    - amd_iommu: restrict command buffer head/tail ranges to ring size
    - linux-user: add preadv2/preadv2
    - system/rtc: Fix a possible year-2038 integer overflow problem
    - linux-user/strace: add fsmount series of syscalls
    - linux-user: implement fsmount(2) series of syscalls
    - fpu: Handle all rounding modes in partsN_uncanon_normal
    - hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet
    - qed: Don't try to flush during incoming migration
    - qcow2: Fix data loss on zero write with detect-zeroes=unmap
    - iotests/046: Test that discard/write_zeroes wait for dependencies
    - qcow2: Fix corruption on discard during write with COW
    - qemu-io: Add 'aio_discard' command
    - virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
      (Closes: #1139923, CVE-2026-48914)
    - block/io: fallback to bounce buffer if BLKZEROOUT is not supported 
because of alignment
    - s390x/pci: Fix interrupt forwarding disable for interpreted devices
    - target/s390x: Make container ids in SysIB_15x 1-based
    - tests/unit: add test-envlist covering setenv/unsetenv name matching
    - util/envlist: fix prefix-match in envlist_unsetenv() name lookup
    - 9pfs: fix missing rename lock in v9fs_co_readdir_many
      (Closes: CVE-2026-48004)
    - tests/9pfs: add deep absolute path test
    - tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
    - hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle 
errors
    - hw/9pfs: add error handling to v9fs_fix_path()
    - hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return 
type
    - hw/9pfs: add NULL check in v9fs_path_is_ancestor()
    - hw/9pfs: move G_GNUC_PRINTF to header
    - linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
    - linux-user/sh4: restore FP rounding mode on sigreturn
    - linux-user/sh4: preserve T/M/Q bits across signal delivery
    - linux-user/mips: save/restore FCSR across signal delivery
    - linux-user/ppc: restore fp_status from FPSCR on sigreturn
    - hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
    - hw/net/rocker_of_dpa: Check group ID pointers are not NULL
    - target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
    - target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1
    - target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs
    - target/arm: SVE2 FMAXP, FMINP must honour AH=1
    - block/linux-aio: bound ioq_submit() recursion depth
    - mc146818rtc: Fix get_guest_rtc_ns() overflow bug
    - apic: fix delivery bitmask with modified xAPIC ids
    - lsi53c895a: clear tag byte when processing messages
    - lsi53c895a: fix use-after-free of cancelled request
    - ui: fix validation of VNC extended clipboard data length
      (Closes: CVE-2026-8343)
    - ui/vnc: fix OOB read updating VNC update frequency stats
      (Closes: CVE-2026-48003)
    - ui/vnc: fix OOB write in lossy rect worker code
      (Closes: CVE-2026-48002)
    - ui/vnc: fix OOB write in VNC stats array
      (Closes: CVE-2026-48002)
    - ui/vnc: fix OOB read access in VNC SASL mechname array
    - target/riscv: clear mseccfg on reset for all dependent extensions
    - target/riscv: Update the local interrupt mask
    - target/riscv: Add mseccfg to VMStateDescription
    - target/riscv: Save stimer and vstimer in CPU vmstate
    - target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation
    - target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL
    - hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen
    - hw/char: sifive_uart: Avoid infinite delay of async xmit function
    - target/riscv: Allow mseccfg access based on ext_zicfilp
    - hw/riscv/riscv-iommu: Fix Svnapot 64KB pages
    - target/riscv: Update MISA.X for non-standard extensions
    - target/riscv: Update MISA.C for Zc* extensions
Checksums-Sha1:
 38ca31bb05597a02cd3031d078264e4783a8fc98 12560 qemu_10.0.11+ds-0+deb13u1.dsc
 fb72faaf7c72f6536b6076364fae4a17caf749e7 39991080 qemu_10.0.11+ds.orig.tar.xz
 ddfac3e08bd6ff9d19f2daf9bf6c6309c4b23f09 149948 
qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 3033d764ee9479201fceaea6aafa49501679cfd2 8302 
qemu_10.0.11+ds-0+deb13u1_source.buildinfo
Checksums-Sha256:
 14280e750f809249fe41068b7767c8631f5ee636ece6a50df80c9918d7536581 12560 
qemu_10.0.11+ds-0+deb13u1.dsc
 c6fbe5322b2b76bbbef583d1d86d0fca433b3a33776cf38ddcb619cb044b61e6 39991080 
qemu_10.0.11+ds.orig.tar.xz
 695ea56cafcce0c4246662436c359f11c2d4cbb1395157005e4b925d57abafb1 149948 
qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 6efe5c3cc306c53b70ea1576e34298a3a1b63b0cd5a7544bc89a27836f0f4c13 8302 
qemu_10.0.11+ds-0+deb13u1_source.buildinfo
Files:
 ee922ee42e802569ecd30a5d2d7be413 12560 otherosfs optional 
qemu_10.0.11+ds-0+deb13u1.dsc
 9b6e147e73aa8e2dcce9cee9c018fe2f 39991080 otherosfs optional 
qemu_10.0.11+ds.orig.tar.xz
 872d86d9dca9c0ec42c5717906a9b2ef 149948 otherosfs optional 
qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 39de11669ad5dba3ba782bd3056dd159 8302 otherosfs optional 
qemu_10.0.11+ds-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqQLJLCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfKnbv4RG9fZUs9bxxjrc1PjpkbBrE2e1KA58lf2alF
4RYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AABJlBAAw5FRedfPYR/mV8Qj9qfq2GHs
YFoHHnvsu9ns8A2UwgAs7Nnk/ChZgZAmL98JQ3BX/B0mRPzr+ba6ZEBDTVywwQ6p
zDBaL9CysZESNKkhQem9pE6wDuM0FNho6KhDHQOC4IJk9BOfv4BpHTOGz0t0b/xn
MebQ9CXszuJnOXz1lCwPFP07LMnKLoW6aIXB+ETK5/q3h/EVsM+kVeZXh1RXURwJ
jemPeFFgLIrm91CD5qTWoE7h3gAQ4J88xHss4bemmo/VtWwCvHnbZpwFVDZIWHSE
pPw/7zH3Rs7+QxV5TN+A/TdeCfjx8n6Ky0GOK2K2R3tSSS+4pQR0cdyjxsBm8tmH
TltyMRrmYVt3HO/+aMspZijtBlZWMqFrA7Y2z9kITrx+18W7SOoc5KstsNkKXR1Y
cYrHfm65yxvDIII433FrD56/tpkuDRbceTyWd1/7k53Yjh9BaW6QQ4CDNAuh9Vsk
AhZX98fQ253oh6GTzFbaLmCq5NACT6hVY133/XV8sfJt+ImqdxPuHO5nq/ZmSGT7
Q4fkrtJypq0hz7OkPLrDIMOs6hX9ZC8YWEoX3LmjXAfdhInkUhN/HTxilH7ql19N
G5nLypGH/XZet3jjSAwWjuHli9SgQNzTJeYIURT9x97wB4UTdYDxyr5yup5IAYbj
OUSSYpqG24lQah9oEB4=
=qOon
-----END PGP SIGNATURE-----

Attachment: pgp9TLgJrYhDJ.pgp
Description: PGP signature


--- End Message ---

Reply via email to