CVE-2026-24054

Описание

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.

A flaw was found in Kata Containers. When a container image is malformed or lacks layers, the system incorrectly processes the container's root filesystem as a block device. This misidentification can lead to the host's underlying storage device being hotplugged into the virtual machine, causing filesystem errors on the host, including potential data corruption due to double inode allocation, and may result in the host's block device becoming read-only. This vulnerability can lead to a Denial of Service (DoS) on the host system.