CVE-2026-24834
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
A vulnerability in Kata Containers prior to version 3.27.0 allows a container user to modify the file system of the guest Micro VM via Cloud Hypervisor, leading to arbitrary code execution as root within that VM. The issue does not impact the host or other containers/VMs on the same host, except on arm64 with QEMU where guest writes could reach the image file.
Risk Assessment
The risk involves privilege escalation within the container, potentially leading to data integrity compromise or control over the guest VM, but it does not spread to the host.
Recommendation
Immediately upgrade Kata Containers to version 3.27.0 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.

