CVE Catalog

CVE-2026-24834

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

A vulnerability in Kata Containers prior to version 3.27.0 allows a container user to modify the file system of the guest Micro VM via Cloud Hypervisor, leading to arbitrary code execution as root within that VM. The issue does not impact the host or other containers/VMs on the same host, except on arm64 with QEMU where guest writes could reach the image file.

Risk Assessment

The risk involves privilege escalation within the container, potentially leading to data integrity compromise or control over the guest VM, but it does not spread to the host.

Recommendation

Immediately upgrade Kata Containers to version 3.27.0 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS