SB2026052273 - Improper access control in Kata Containers
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2026-24834)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code as root in the guest micro VM.
The vulnerability exists due to improper access control in the virtio-pmem-backed guest root filesystem exposure via /dev/pmem0 when accessing the writable pmem device from within a container. A remote attacker can modify files in the guest filesystem to execute arbitrary code as root in the guest micro VM.
Exploitation requires the ability to create and access the pmem device node, such as with CAP_MKNOD, and the changes are not persistent across VM restart.
Remediation
Install update from vendor's website.