CVE-2026-48914 is a heap buffer overflow vulnerability in QEMU-KVM’s virtio-blk driver, specifically in how it handles SCSI requests. This type of flaw can potentially allow a malicious guest virtual machine to corrupt host memory, which in a cloud environment could lead to VM escape — one of the most severe hypervisor-level threats. Microsoft has published this advisory via the MSRC, indicating Azure infrastructure may be affected.

Security Architect’s Take: Assess whether your Azure workloads rely on virtualisation layers exposed to untrusted guest workloads; prioritise patching any Azure host infrastructure or self-managed QEMU-KVM deployments. If you operate multi-tenant environments or nested virtualisation, treat this as urgent and monitor Microsoft’s patch guidance closely.

Original advisory: CVE-2026-48914 Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling

CVE-2026-42915 is a Denial of Service vulnerability affecting Microsoft Windows VMSwitch, a core component of Hyper-V networking used in Azure virtualisation infrastructure. The advisory has been updated to correct the CVE description and title, with no change to the underlying vulnerability details or patches. While classified as a DoS vulnerability, its presence in virtualisation switching layers means it could impact availability across hosted workloads.

Security Architect’s Take: Verify that any previously applied mitigations or patches for CVE-2026-42915 align with the corrected description — the title change may indicate a scope clarification. Ensure your vulnerability management tooling has ingested the updated advisory and re-assess risk ratings if your environment relies on Windows Hyper-V or Azure VMSwitch networking.

Original advisory: CVE-2026-42915 Microsoft Windows VMSwitch Denial of Service Vulnerability