CVE-2026-24054
📋 TL;DR
A vulnerability in Kata Containers allows malformed container images with no layers to cause the host's block device to be mounted as read-only, potentially leading to filesystem corruption. This affects systems running Kata Containers versions prior to 3.26.0. The issue occurs when containerd bind-mounts an empty directory that Kata misinterprets as a block device.
💻 Affected Systems
- Kata Containers
📦 What is this software?
Kata Containers by Katacontainers
⚠️ Risk & Real-World Impact
Worst Case
Host filesystem corruption leading to data loss or system instability requiring host reboot or recovery procedures.
Likely Case
Host block device mounted as read-only, causing service disruptions and potential data inconsistency.
If Mitigated
Minimal impact with proper image validation and runtime monitoring in place.
🎯 Exploit Status
Exploitation requires ability to push malformed container images to a registry accessible by the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.26.0
Vendor Advisory: https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c
Restart Required: Yes
Instructions:
1. Update Kata Containers to version 3.26.0 or later. 2. Update containerd to latest stable version. 3. Restart containerd service and any running Kata containers.
🔧 Temporary Workarounds
Image Validation
linuxImplement strict image validation to reject malformed container images before deployment.
# Use container image scanning tools like Trivy, Grype, or Clair
# Implement admission controllers in Kubernetes to validate images
Registry Restrictions
linuxRestrict container registries to trusted sources only.
# Configure containerd to only pull from approved registries
# Use Kubernetes ImagePolicyWebhook for registry validation
🧯 If You Can't Patch
- Implement strict image provenance and signing requirements
- Monitor for filesystem read-only events and block device mounting anomalies
🔍 How to Verify
Check if Vulnerable:
Check Kata Containers version: kata-runtime --version | grep -i versionCheck Version:
kata-runtime --versionVerify Fix Applied:
Verify version is 3.26.0 or later and test with known malformed image to ensure proper error handling.📡 Detection & Monitoring
Log Indicators:
- Unexpected block device hotplug events in Kata logs
- Filesystem read-only errors in host system logs
- containerd errors about malformed images
Network Indicators:
- Unexpected pulls of container images from untrusted sources
SIEM Query:
source="kata" AND ("hotplug" OR "block device") OR source="containerd" AND "malformed image"🔗 References
- https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c40070557df0e/plugins/snapshots/overlay/overlay.go#L564-L581
- https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bc3575e2cbfe64ce35/src/runtime/virtcontainers/container.go#L1122-L1126
- https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e07b99dabdaf2b9fda/src/runtime/virtcontainers/container.go#L1616-L1623
- https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a
- https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c
