SB2026070655 - Anolis OS update for kata-containers



SB2026070655 - Anolis OS update for kata-containers

Published: July 6, 2026

Security Bulletin ID SB2026070655
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-24054)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service on the host system.

The vulnerability exists due to improper device handling in container rootfs mounting logic when processing a malformed container image or an image with no layers. A remote user can start a container with a malformed image or an image that contains no layers to cause a denial of service on the host system.

This affects deployments using the default overlayfs containerd snapshotter with the Kata runtime class, and may cause the host disk to be remounted as read-only.


2) Improper access control (CVE-ID: CVE-2026-24834)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to execute arbitrary code as root in the guest micro VM.

The vulnerability exists due to improper access control in the virtio-pmem-backed guest root filesystem exposure via /dev/pmem0 when accessing the writable pmem device from within a container. A remote attacker can modify files in the guest filesystem to execute arbitrary code as root in the guest micro VM.

Exploitation requires the ability to create and access the pmem device node, such as with CAP_MKNOD, and the changes are not persistent across VM restart.


Remediation

Install update from vendor's website.