Vulnerability Description
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Katacontainers | Kata Containers | < 3.26.0 |
Related Weaknesses (CWE)
References
- https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c400705Patch
- https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bcPatch
- https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e0Patch
- https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa125Patch
- https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8ExploitPatchVendor Advisory
FAQ
What is CVE-2026-24054?
CVE-2026-24054 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image ...
How severe is CVE-2026-24054?
CVE-2026-24054 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-24054?
Check the references section above for vendor advisories and patch information. Affected products include: Katacontainers Kata Containers.