Arbitrary Code Execution in Kata Containers Affected by Cloud Hypervisor
CVE-2026-24834

9.4CRITICAL

Key Information:

Vendor

Kata-containers

Status
Kata-containers
Vendor
CVE Published:
19 February 2026

What is CVE-2026-24834?

Kata Containers, an open-source initiative for lightweight virtual machines that operate like containers, has a vulnerability related to the Cloud Hypervisor. In versions prior to 3.27.0, this flaw allows unauthorized users to modify the file system of the Guest micro VM, potentially leading to arbitrary code execution with root privileges in that VM. While this vulnerability does not seem to affect the security of the host machine or other running containers/VMs, it is important to note that certain configurations, particularly those involving arm64 QEMU without NVDIMM read-only support, could theoretically expose the host to risks. Updating to version 3.27.0 is essential to mitigate this issue.

Affected Version(s)

kata-containers < 3.27.0

References

https://github.com/kata-containers/kata-containers/securi...
x_refsource_CONFIRM
https://github.com/kata-containers/kata-containers/commit...
x_refsource_MISC
https://github.com/kata-containers/kata-containers/releas...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.