SB2026052279 - Denial of service in Kata Containers

Description

This security bulletin contains information about 1 vulnerability.

1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-24054)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service on the host system.

The vulnerability exists due to improper device handling in container rootfs mounting logic when processing a malformed container image or an image with no layers. A remote user can start a container with a malformed image or an image that contains no layers to cause a denial of service on the host system.

This affects deployments using the default overlayfs containerd snapshotter with the Kata runtime class, and may cause the host disk to be remounted as read-only.

Remediation

Install update from vendor's website.

References

• https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c
• https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a