SB2026052273 - Improper access control in Kata Containers



SB2026052273 - Improper access control in Kata Containers

Published: May 22, 2026

Security Bulletin ID SB2026052273
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper access control (CVE-ID: CVE-2026-24834)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to execute arbitrary code as root in the guest micro VM.

The vulnerability exists due to improper access control in the virtio-pmem-backed guest root filesystem exposure via /dev/pmem0 when accessing the writable pmem device from within a container. A remote attacker can modify files in the guest filesystem to execute arbitrary code as root in the guest micro VM.

Exploitation requires the ability to create and access the pmem device node, such as with CAP_MKNOD, and the changes are not persistent across VM restart.


Remediation

Install update from vendor's website.