CVE-2026-45782 showed that the Cloud Hypervisor asynchronous block I/O code is far too subtle. Even the top-level APIs are unsafe, and so bugs in the block device itself can cause undefined behavior. In this case, the undefined behavior was a use-after free that allowed a VM escape. While the synchronous code still allows safe code to cause undefined behavior, it is somewhat simpler to reason about and so should be preferred when performance is not a concern. Disabling asynchronous I/O was a mitigation for CVE-2026-45782. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- Upstream contributor Dylan Reid plans to fix the block layer. However, its attack surface is still much higher than the synchronous I/O code. This has not been tested beyond the integration tests. My test machine is currently not working, most likely due to the AMDGPU panel self-refresh bug. --- tools/start-vmm/ch.rs | 2 ++ tools/start-vmm/lib.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tools/start-vmm/ch.rs b/tools/start-vmm/ch.rs index d3ac95ed60db834e20dbd7366908ae45cbdf27a2..239d08e10721170de02ec7da92939597c72e8033 100644 --- a/tools/start-vmm/ch.rs +++ b/tools/start-vmm/ch.rs @@ -24,6 +24,8 @@ pub struct ConsoleConfig { pub struct DiskConfig { pub path: String, pub readonly: bool, + pub disable_io_uring: bool, + pub disable_aio: bool, } #[derive(Serialize)] diff --git a/tools/start-vmm/lib.rs b/tools/start-vmm/lib.rs index 1adccc1b76ce24ba0550a3db2aef1b4c8f3c231a..0fa63525eaee2f387456ed6fb9c3649188ab0e7a 100644 --- a/tools/start-vmm/lib.rs +++ b/tools/start-vmm/lib.rs @@ -75,6 +75,8 @@ pub fn vm_config(vm_dir: &Path) -> Result<VmConfig, String> { Ok(DiskConfig { path: entry, readonly: true, + disable_io_uring: true, + disable_aio: true, }) }) .collect::<Result<_, _>>()?, --- base-commit: 5b3151fd08d1f1e3e166a328449fe6fe5092f316 change-id: 20260507-sync-block-2902b6a635f8 -- Sincerely, Demi Marie Obenour (she/her/hers)