CVE-2026-24054
Unknown Unknown - Not Provided
Bind Mount Vulnerability in Kata Containers Causes Host Filesystem Errors

Publication date: 2026-01-29

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24054
EUVD
EUVD-2026-4958
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
katacontainers kata_containers to 3.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24054 is a critical vulnerability in the kata-containers runtime that occurs when a container image is malformed or contains no layers. In such cases, containerd falls back to bind-mounting an empty snapshotter directory as the container root filesystem (rootfs). The Kata runtime mistakenly detects this bind mount as a block device and hotplugs the underlying host block device into the Kata VM guest. This unsafe hotplugging can cause filesystem-level errors on the host, such as double inode allocation, and may cause the host's block device to be remounted as read-only, potentially leading to service disruption or host failure. The issue was fixed in kata-containers version 3.26.0 by preventing the runtime from misidentifying the bind-mounted empty snapshotter directory as a block device. [2]

Impact Analysis

This vulnerability can cause serious filesystem corruption on the host system by hotplugging the host's block device into the Kata VM guest when it should not be. This can lead to double inode allocation errors, remounting of the host's block device as read-only, and potentially cause service disruption or complete host failure, especially if the affected device is critical like the boot disk. This can impact system stability and availability. [2]

Detection Guidance

This vulnerability can be detected by deploying a container image with no layers using the Kata runtime class in a Kubernetes environment with containerd and kata-containers installed. Host logs, such as those from the `dmesg` command, will show EXT4 filesystem errors indicating doubly allocated inodes. Additionally, Kata logs will report detection of the block device being hotplugged incorrectly. Therefore, running `dmesg | grep EXT4` on the host can help detect filesystem errors related to this issue, and reviewing Kata runtime logs for block device detection messages can also indicate the vulnerability's presence. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade kata-containers to version 3.26.0 or later, where the issue is fixed by preventing the runtime from misidentifying the bind-mounted empty snapshotter directory as a block device. Additionally, ensure the runtime configuration flag `disable_block_device_use` is set to `true` (which is the default) to disable hotplugging of host block devices as root filesystems inside guest VMs, forcing the use of virtio-fs instead. This prevents unsafe block device hotplugging and reduces the risk of filesystem corruption and host instability. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart