{"api_version":"1","generated_at":"2026-07-03T09:26:52+00:00","cve":"CVE-2026-24708","urls":{"html":"https://cve.report/CVE-2026-24708","api":"https://cve.report/api/cve/CVE-2026-24708.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-24708","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-24708"},"summary":{"title":"CVE-2026-24708","description":"An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-02-18 18:24:33","updated_at":"2026-06-30 03:17:38"},"problem_types":["CWE-669","CWE-73","CWE-669 CWE-669 Incorrect Resource Transfer Between Spheres","CWE-73 External Control of File Name or Path"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"cve@mitre.org","type":"Secondary","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","data":{"baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:7884","name":"https://access.redhat.com/errata/RHSA-2026:7884","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430312","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2430312","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugs.launchpad.net/nova/+bug/2137507","name":"https://bugs.launchpad.net/nova/+bug/2137507","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-24708","name":"https://access.redhat.com/security/cve/CVE-2026-24708","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.openwall.com/lists/oss-security/2026/02/17/7","name":"https://www.openwall.com/lists/oss-security/2026/02/17/7","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24708.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24708.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html","name":"https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-24708","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24708","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenStack","product":"Nova","version":"affected 30.2.2 semver","platforms":[]},{"source":"CNA","vendor":"OpenStack","product":"Nova","version":"affected 31.0.0 31.2.1 semver","platforms":[]},{"source":"CNA","vendor":"OpenStack","product":"Nova","version":"affected 32.0.0 32.1.1 semver","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenStack Services on OpenShift 18.0","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenStack Platform 13 (Queens)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenStack Platform 16.2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenStack Platform 17.1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenStack Platform 18.0","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-01-16T06:29:23.249Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-17T15:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:7884: Red Hat OpenStack Services on OpenShift 18.0","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"24708","cve":"CVE-2026-24708","epss":"0.003410000","percentile":"0.260650000","score_date":"2026-07-01","updated_at":"2026-07-02 00:05:26"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-24708","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-19T19:07:53.345297Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-19T19:08:07.846Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2026-02-21T04:31:45.294Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html"}],"title":"CVE Program Container"},{"affected":[{"cpes":["cpe:/a:redhat:openstack:18.0::el9"],"defaultStatus":"affected","product":"Red Hat OpenStack Services on OpenShift 18.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:13"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 13 (Queens)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:16.2"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 16.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:17.1"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 17.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:18.0"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 18.0","vendor":"Red Hat"}],"datePublic":"2026-02-17T15:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:39.260Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-24708"},{"name":"RHBZ#2430312","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430312"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24708.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7884"}],"solutions":[{"lang":"en","value":"RHSA-2026:7884: Red Hat OpenStack Services on OpenShift 18.0"}],"timeline":[{"lang":"en","time":"2026-01-16T06:29:23.249Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-17T15:00:00.000Z","value":"Made public."}],"title":"openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Nova","vendor":"OpenStack","versions":[{"lessThan":"30.2.2","status":"affected","version":"0","versionType":"semver"},{"lessThan":"31.2.1","status":"affected","version":"31.0.0","versionType":"semver"},{"lessThan":"32.1.1","status":"affected","version":"32.0.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*","versionEndExcluding":"30.2.2","vulnerable":true},{"criteria":"cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*","versionEndExcluding":"31.2.1","versionStartIncluding":"31.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*","versionEndExcluding":"32.1.1","versionStartIncluding":"32.0.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected."}],"metrics":[{"cvssV3_1":{"baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-669","description":"CWE-669 Incorrect Resource Transfer Between Spheres","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-18T17:03:53.469Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://bugs.launchpad.net/nova/+bug/2137507"},{"url":"https://www.openwall.com/lists/oss-security/2026/02/17/7"}],"x_generator":{"engine":"enrichogram 0.0.1"}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2026-24708","datePublished":"2026-02-18T00:00:00.000Z","dateReserved":"2026-01-24T00:00:00.000Z","dateUpdated":"2026-06-30T02:45:39.260Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-18 18:24:33","lastModifiedDate":"2026-06-30 03:17:38","problem_types":["CWE-669","CWE-73","CWE-669 CWE-669 Incorrect Resource Transfer Between Spheres","CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.8},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-19T19:07:53.345297Z","id":"CVE-2026-24708","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"24708","Ordinal":"1","Title":"CVE-2026-24708","CVE":"CVE-2026-24708","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"24708","Ordinal":"1","NoteData":"An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.","Type":"Description","Title":"CVE-2026-24708"}]}}}