SB2026052272 - Multiple vulnerabilities in Kata Containers
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2025-58354)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to launch arbitrary workloads while attesting successfully as a benign workload.
The vulnerability exists due to improper check for unusual or exceptional conditions in the Kata agent attestation agent presence check when handling I/O errors during rootfs access. A remote privileged user can selectively fail I/O operations to skip initdata verification and launch arbitrary workloads while attesting successfully as a benign workload.
The issue applies only to CoCo variants using rootfs and dm-verity, and does not affect cases where guest component binaries are stored in the initrd.
2) Improper access control (CVE-ID: CVE-2026-41326)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to overwrite files inside the guest workload image and disclose sensitive information from containers.
The vulnerability exists due to improper access control in the CopyFile policy and CopyFile handler when processing crafted CopyFile requests involving symlinks. A remote attacker can create a symlink from the shared directory to an arbitrary path and then send a second crafted CopyFile request to overwrite files inside the guest workload image and disclose sensitive information from containers.
The issue affects deployments using the upstream genpolicy implementation and is relevant to Confidential Containers workloads whose trust model forbids host access to container images.
Remediation
Install update from vendor's website.
References
- https://github.com/kata-containers/kata-containers/security/advisories/GHSA-989w-4xr2-ww9m
- https://github.com/kata-containers/kata-containers/blob/c980b6e191e174053681fb30817736e040554c10/src/agent/src/main.rs#L460-L474
- https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc
- https://github.com/kata-containers/kata-containers/security/advisories