Vulnerability in OpenStack Nova's Image Resizing Functionality
CVE-2026-24708

8.2HIGH

Key Information:

Vendor: Openstack
Status: Nova
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-24708?

A vulnerability exists in OpenStack Nova that allows a user to exploit the image resizing functionality. By crafting a malicious QCOW header for a root or ephemeral disk and initiating a resize, an unauthorized user may trick Nova's Flat image backend into invoking qemu-img without necessary format restrictions. This could lead to unsafe image resize operations, potentially resulting in data loss on the host system. The vulnerability affects only those compute nodes configured with the Flat image backend, specifically when 'use_cow_images' is set to false.

Affected Version(s)

Nova 0 < 30.2.2

Nova 31.0.0 < 31.2.1

Nova 32.0.0 < 32.1.1

References

https://bugs.launchpad.net/nova/+bug/2137507

https://www.openwall.com/lists/oss-security/2026/02/17/7

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Jan 24, 2026

CVE-2026-24708 Data

JSON

Openstack

What is CVE-2026-24708?

Affected Version(s)

References

CVSS V3.1

Timeline