{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-24708", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-21T04:31:45.294Z", "dateReserved": "2026-01-24T00:00:00.000Z", "datePublished": "2026-02-18T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Nova", "vendor": "OpenStack", "versions": [{"lessThan": "30.2.2", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "31.2.1", "status": "affected", "version": "31.0.0", "versionType": "semver"}, {"lessThan": "32.1.1", "status": "affected", "version": "32.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-18T17:03:53.469Z"}, "references": [{"url": "https://bugs.launchpad.net/nova/+bug/2137507"}, {"url": "https://www.openwall.com/lists/oss-security/2026/02/17/7"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "versionEndExcluding": "30.2.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "versionStartIncluding": "31.0.0", "versionEndExcluding": "31.2.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "versionStartIncluding": "32.0.0", "versionEndExcluding": "32.1.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:07:53.345297Z", "id": "CVE-2026-24708", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:08:07.846Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-21T04:31:45.294Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-21T04:31:45.294Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:07:53.345297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:08:00.321Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H"}}], "affected": [{"vendor": "OpenStack", "product": "Nova", "versions": [{"status": "affected", "version": "0", "lessThan": "30.2.2", "versionType": "semver"}, {"status": "affected", "version": "31.0.0", "lessThan": "31.2.1", "versionType": "semver"}, {"status": "affected", "version": "32.0.0", "lessThan": "32.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://bugs.launchpad.net/nova/+bug/2137507"}, {"url": "https://www.openwall.com/lists/oss-security/2026/02/17/7"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "30.2.2"}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "31.2.1", "versionStartIncluding": "31.0.0"}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "32.1.1", "versionStartIncluding": "32.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-18T17:03:53.469Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24708", "state": "PUBLISHED", "dateUpdated": "2026-02-21T04:31:45.294Z", "dateReserved": "2026-01-24T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-18T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en OpenStack Nova antes de la versi\u00f3n 30.2.2, 31 antes de la 31.2.1, y 32 antes de la 32.1.1. Al escribir una cabecera QCOW maliciosa en un disco ra\u00edz o ef\u00edmero y luego activar un redimensionamiento, un usuario puede inducir al backend de imagen Flat de Nova a llamar a qemu-img sin una restricci\u00f3n de formato, lo que resulta en una operaci\u00f3n de redimensionamiento de imagen insegura que podr\u00eda destruir datos en el sistema anfitri\u00f3n. Solo los nodos de c\u00f3mputo que utilizan el backend de imagen Flat (normalmente configurados con use_cow_images=False) se ven afectados."}], "id": "CVE-2026-24708", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-18T18:24:33.087", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/nova/+bug/2137507"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/02/17/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Dan Smith (RedHat) for reporting this issue.", "bugzilla": {"description": "openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova", "id": "2430312", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430312"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-73", "details": ["A flaw in OpenStack Nova\u2019s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24708", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "rhosp13/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "rhoso/openstack-nova-compute-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-02-17T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24708\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24708"], "statement": "This vulnerability is rated Important for Red Hat OpenStack Platform. An authenticated attacker can exploit unconstrained disk format handling in OpenStack Nova when invoking qemu-img. By crafting a QCOW2 header on an ephemeral or root disk, an attacker can cause qemu-img to overwrite arbitrary files on the compute host with Nova's write access, leading to data destruction or denial of service.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "product": "compute", "vendor": "openstack"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "product": "nova", "vendor": "openstack"}], "analysis": {"en": {"generated_at": "2026-04-17T18:48:50.081817+00:00", "value": {"mitigation_remediation": ["Deploy the latest Nova release 30.2.2 or later, 31.2.1 or later, or 32.1.1 or later, to receive the fix that restricts qemu\u2011img format handling.", "Reconfigure compute nodes to disable the Flat image backend or set use_cow_images=True to enforce copy\u2011on\u2011write.", "If immediate update is not possible, restrict image uploads to trusted formats, validate QCOW headers before allowing resized images, and avoid using the Flat backend."], "summary": {"action": "Immediate Patch", "impact": "Host File Overwrite"}, "threat_synthesis": {"affected_systems": "Affected systems are compute nodes that use the Flat image backend in OpenStack Nova, with the configuration use_cow_images set to False. The issue applies to Nova versions earlier than 30.2.2, 31.2.1, and 32.1.1.", "description_and_impact": "The vulnerability is in OpenStack Nova prior to certain releases and allows a malicious QCOW header to be written to a root or temporary disk and then used to trigger a resize operation. Because the Flat image backend calls qemu\u2011img without a format restriction, the resize can overwrite arbitrary files on the host system, potentially destroying critical data or configuration. The weakness is tied to CWE\u2011669 \u201cSecurity Function\u201d and CWE\u201173 \u201cPath Manipulation.\u201d", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity, though the EPSS score of less than 1% implies a low exploitation likelihood. The vulnerability is not listed in KEV. Attackers need the ability to create and upload a malicious image or QCOW header and must target a compute node configured with the Flat backend, which limits the attack surface to environments that have enabled this feature. Based on the description, it is inferred that the attack vector is internal to the compute service and requires authenticated actions to create or trigger the unsafe resize."}}}}, "created": "2026-02-19T10:20:56.248219+00:00", "updated": "2026-04-17T19:00:11.024068+00:00", "vendors": ["openstack", "openstack$PRODUCT$compute", "openstack$PRODUCT$nova"]}