Main Vulnerability Database Vulnerabilities #VU132135

Improper access control in Kata Containers - CVE-2026-24834

Published: May 22, 2026

Vulnerability identifier: #VU132135

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-24834

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Kata Containers

Affected software:
Kata Containers

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code as root in the guest micro VM.

The vulnerability exists due to improper access control in the virtio-pmem-backed guest root filesystem exposure via /dev/pmem0 when accessing the writable pmem device from within a container. A remote attacker can modify files in the guest filesystem to execute arbitrary code as root in the guest micro VM.

Exploitation requires the ability to create and access the pmem device node, such as with CAP_MKNOD, and the changes are not persistent across VM restart.

How to mitigate CVE-2026-24834

Install security update from vendor's website.

Sources

https://github.com/kata-containers/kata-containers/security/advisories/GHSA-wwj6-vghv-5p64

Improper access control in Kata Containers - CVE-2026-24834

Detailed vulnerability description

How to mitigate CVE-2026-24834

Sources

Please verify you're human