Vulnerability in Kata Containers Affects Open Source Virtual Machine Operations
CVE-2026-24054

8.8HIGH

Key Information:

Vendor

Kata-containers

Status
Kata-containers
Vendor
CVE Published:
29 January 2026

What is CVE-2026-24054?

Kata Containers, an open-source implementation of lightweight virtual machines, contains a vulnerability in versions prior to 3.26.0. This issue arises when a malformed container image leads containerd to bind-mount an empty snapshotter directory as the container's root file system (rootfs). This erroneous bind mount results in the rootfs being misidentified as a block device, which can trigger the hotplugging of the underlying device to the guest system. Consequently, this may result in critical filesystem-level errors on the host system, such as double inode allocations and potentially force the host's block device into a read-only state. The vulnerability is addressed in version 3.26.0 with a critical patch.

Affected Version(s)

kata-containers < 3.26.0

References

https://github.com/kata-containers/kata-containers/securi...
x_refsource_CONFIRM
https://github.com/kata-containers/kata-containers/commit...
x_refsource_MISC
https://github.com/containerd/containerd/blob/d939b6af5f8...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.