CVE-2026-24834Incorrect Permission Assignment in Kata-containers

CWE-732Incorrect Permission AssignmentCWE-281Improper Preservation of Permissions7 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 99.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Kata-containersGithub.com Kata-containers Kata-containers SRC RuntimeKatacontainers Kata Containers+2 more
Timeline
PublishedFeb 19
Latest updateFeb 23

Description

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages5 packages

Gogithub.com/kata-containers_kata-containers_src_runtime< 0.0.0-20260219090056-6a672503973b

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Kata Container to Guest micro VM privilege escalation in github.com/kata-containers/kata-containers/src/runtime2026-02-23
GHSA
Kata Container to Guest micro VM privilege escalation2026-02-19
OSV
Kata Container to Guest micro VM privilege escalation2026-02-19

📋Vendor Advisories

2
Red Hat
containerd-shim-kata-v2: Kata Containers: Arbitrary code execution in guest virtual machine via file system modification2026-02-19
Microsoft
Kata Container to Guest micro VM privilege escalation2026-02-10

🕵️Threat Intelligence

1
Wiz
CVE-2026-24834 Impact, Exploitability, and Mitigation Steps | Wiz