CVE-2026-24708 - Vulnerability Details - OpenCVE

A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-24708
https://www.cve.org/CVERecord?id=CVE-2026-24708

History

Wed, 18 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize.
Title		openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova
Weaknesses		CWE-73
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24708 https://www.cve.org/CVERecord?id=CVE-2026-24708
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}` threat_severity `Important`

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-02-17T15:00:00Z

Links: CVE-2026-24708 - Bugzilla

OpenCVE Enrichment

No data.

{"acknowledgement": "Red Hat would like to thank Dan Smith (RedHat) for reporting this issue.", "bugzilla": {"description": "openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova", "id": "2430312", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430312"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-73", "details": ["A flaw in OpenStack Nova\u2019s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24708", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "rhosp13/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "rhoso/openstack-nova-compute-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "rhosp12/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhosp-rhel9/openstack-nova-compute", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-02-17T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24708\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24708"], "statement": "This vulnerability is rated Important for Red Hat OpenStack Platform. An authenticated attacker can exploit unconstrained disk format handling in OpenStack Nova when invoking qemu-img. By crafting a QCOW2 header on an ephemeral or root disk, an attacker can cause qemu-img to overwrite arbitrary files on the compute host with Nova's write access, leading to data destruction or denial of service.", "threat_severity": "Important"}