Cloud Hypervisor Qcow2 Backing File Vulnerability Allows Host File Exfiltration

A vulnerability in Cloud Hypervisor versions 34.0 through 50.0 allows for arbitrary host file exfiltration, constrained by process privileges, when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure that points to a sensitive host file. During the next VM boot or disk scan, the image format auto-detection reads this header and transfers the host file's contents to the guest. This vulnerability can be exploited without management stack interaction, as guest-initiated VM reboots trigger the disk scan while keeping the Cloud Hypervisor process active. Successful exploitation requires the backing image to be writable by the guest or from an untrusted source; deployments using only trusted, read-only images are not affected.

Impact

Exploitation of this vulnerability leads to unauthorized access to host files, which can include sensitive information such as SSH keys or password fragments, depending on the file paths targeted.

Reproduction

To reproduce this vulnerability, create a QCOW2 image with a backing file that points to a sensitive host file. Ensure the image is writable by the guest or sourced from an untrusted origin. When the VM boots or a disk scan is performed, the Cloud Hypervisor will read the overwritten disk header and exfiltrate the host file contents to the guest.

Remediation

Upgrade to Cloud Hypervisor versions 51.0 or 50.1, both of which include the necessary security fixes. If an upgrade is not possible, enable Landlock sandboxing to restrict file access, and run the Cloud Hypervisor process as an unprivileged user to limit file access rights.