[AUTO-CHERRYPICK] [AutoPR- Security] Patch qemu for CVE-2026-3195 [HIGH] - branch 3.0-dev

[CBL-Mariner-Bot]

This is an auto-generated pull request to cherry-pick commit 4f239ee to 3.0-dev. Original PR: #17830
In case of no merge conflicts, the PR is merged without approval because it's an automated cherry-pick of an already approved PR.
In case of merge conflicts, an AI-based conflict resolver will attempt to resolve conflicts and might make mistakes. The reviewer must check AI's work before approving.

[CBL-Mariner-Bot]

All conflicts resolved.

[CBL-Mariner-Bot]

Auto Cherry-Pick SPEC Validation Summary

qemu SPEC summary

	Source (fasttrack)	Target (3.0-dev)	Resolved
Version	9.1.0	9.1.0	9.1.0
Release	8	8	10
Patches	31	31	32
Conflict	Yes

⚠️ Validation issues:

• Duplicate changelog entry for 9.1.0-2 (appears 2 times)
• Duplicate changelog entry for 9.1.0-1 (appears 2 times)
• Changelog out of order: 9.1.0-1 appears before 9.1.0-6

---

⚠️ Manual review required — validation found issues that may need correction.

[jslobodzian]

[Toolio Iglesias🗺️] Pushed a fixup commit to correct several auto-merge artifacts:

• Release number: 10 → 9 (only +1 over 3.0-dev's existing 8, since we're adding exactly one new patch on top of CVE-2026-48914).
• Lost changelog entry restored: The original 3.0-dev -8\ (Wed Jun 17 2026 — Patch for CVE-2026-48914) had been overwritten. It's now preserved.
• New entry placement: CVE-2026-3195 now lives at -9\ (Sat Jun 27 2026) sitting above the preserved -8.
• Empty changelog headers removed: The auto-merge had inserted two empty -10\ and -9\ entries with no body.
• Day-of-week corrected: -7\ header restored to \Wed May 20\ (calendar-correct).
• Older entries restored: -6, -5, -4, -3, -2, -1\ were missing or out of order; full descending sequence is now reinstated from the 3.0-dev baseline.

Net effect: the diff vs 3.0-dev is now minimal — Release bump, one new \Patch31\ insertion (existing CVE-2026-48914 bumped to \Patch32), and one new -9\ changelog entry. Ready for re-review.