CVE-2026-24054
Bind Mount Vulnerability in Kata Containers Causes Host Filesystem Errors
Publication date: 2026-01-29
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| katacontainers | kata_containers | to 3.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24054 is a critical vulnerability in the kata-containers runtime that occurs when a container image is malformed or contains no layers. In such cases, containerd falls back to bind-mounting an empty snapshotter directory as the container root filesystem (rootfs). The Kata runtime mistakenly detects this bind mount as a block device and hotplugs the underlying host block device into the Kata VM guest. This unsafe hotplugging can cause filesystem-level errors on the host, such as double inode allocation, and may cause the host's block device to be remounted as read-only, potentially leading to service disruption or host failure. The issue was fixed in kata-containers version 3.26.0 by preventing the runtime from misidentifying the bind-mounted empty snapshotter directory as a block device. [2]
How can this vulnerability impact me? :
This vulnerability can cause serious filesystem corruption on the host system by hotplugging the host's block device into the Kata VM guest when it should not be. This can lead to double inode allocation errors, remounting of the host's block device as read-only, and potentially cause service disruption or complete host failure, especially if the affected device is critical like the boot disk. This can impact system stability and availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by deploying a container image with no layers using the Kata runtime class in a Kubernetes environment with containerd and kata-containers installed. Host logs, such as those from the `dmesg` command, will show EXT4 filesystem errors indicating doubly allocated inodes. Additionally, Kata logs will report detection of the block device being hotplugged incorrectly. Therefore, running `dmesg | grep EXT4` on the host can help detect filesystem errors related to this issue, and reviewing Kata runtime logs for block device detection messages can also indicate the vulnerability's presence. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade kata-containers to version 3.26.0 or later, where the issue is fixed by preventing the runtime from misidentifying the bind-mounted empty snapshotter directory as a block device. Additionally, ensure the runtime configuration flag `disable_block_device_use` is set to `true` (which is the default) to disable hotplugging of host block devices as root filesystems inside guest VMs, forcing the use of virtio-fs instead. This prevents unsafe block device hotplugging and reduces the risk of filesystem corruption and host instability. [2, 4]