CVE-2026-24708
Received Received - Intake
Unsafe Image Resize Vulnerability in OpenStack Nova Flat Backend

Publication date: 2026-02-18

Last updated on: 2026-02-21

Assigner: MITRE

Description
An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-21
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24708
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
openstack nova to 30.2.2 (exc)
openstack nova to 31.2.1 (exc)
openstack nova to 32.1.1 (exc)
openstack nova From 31.0.0 (inc) to 31.2.1 (exc)
openstack nova From 32.0.0 (inc) to 32.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24708 is a security vulnerability in OpenStack Nova affecting versions before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. It occurs when a malicious QCOW (QEMU Copy-On-Write) header is written to a root or ephemeral disk, and a resize operation is triggered. Nova's Flat image backend, typically configured with use_cow_images=False, calls the qemu-img tool without enforcing format restrictions during this resize."}, {'type': 'paragraph', 'content': "Because Nova assumes the disk image is raw and does not properly validate or flatten backing files, an attacker can craft malicious qcow2 images with backing files or use the qcow2 'data-file' attribute to cause unintended behavior. This can lead to unsafe image resize operations that may destroy or corrupt data on the host system."}, {'type': 'paragraph', 'content': 'Only compute nodes using the Flat image backend are affected. The vulnerability allows attackers to exploit the lack of format validation when qemu-img is invoked, potentially causing data destruction, corruption, or disruption of services.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including data destruction and corruption on the host system where OpenStack Nova compute nodes run. Attackers can exploit it to cause unsafe image resize operations that overwrite or zero out arbitrary files accessible via qcow2 image attributes.'}, {'type': 'list_item', 'content': 'Destruction or corruption of data on root and ephemeral disks.'}, {'type': 'list_item', 'content': 'Disruption of image caches by destroying cached backing files, leading to filesystem corruption symptoms.'}, {'type': 'list_item', 'content': 'Prevention of snapshot creation or recovery without manual intervention.'}, {'type': 'list_item', 'content': "Corruption of Nova's compute_id file, causing compute service restart failures."}, {'type': 'list_item', 'content': 'Denial of service by filling data disks through manipulation of resize size parameters.'}, {'type': 'paragraph', 'content': 'If compute nodes share image caches via shared storage, the impact can extend to multiple nodes or racks, amplifying the damage.'}] [2]

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying whether your OpenStack Nova compute nodes are using the Flat image backend (usually configured with use_cow_images=false) and if they are running affected versions prior to 30.2.2, between 31.0.0 and 31.2.1, or between 32.0.0 and 32.1.1.

You can check the Nova configuration for the use_cow_images setting to confirm if the Flat image backend is in use.

Additionally, monitoring for suspicious resize operations on root or ephemeral disks that invoke qemu-img without format restrictions may help detect exploitation attempts.

While specific commands are not provided in the resources, you might consider commands such as:

  • Checking Nova configuration: grep use_cow_images /etc/nova/nova.conf
  • Listing running Nova versions: openstack --version or querying the package manager for installed nova versions
  • Monitoring qemu-img resize calls in system logs or audit logs to detect unrestrained format usage
  • Inspecting disk images for malicious QCOW headers or backing files using qemu-img info <image-file>
Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade OpenStack Nova to a patched version: 30.2.2 or later, 31.2.1 or later, or 32.1.1 or later, as patches addressing this vulnerability have been submitted and released.'}, {'type': 'list_item', 'content': 'Ensure that the Flat image backend is not used if possible, or configure use_cow_images=True to avoid the unsafe invocation of qemu-img without format restrictions.'}, {'type': 'list_item', 'content': "Use Glance's format-inspector protections to reject qcow2 images with backing files or other unsafe attributes."}, {'type': 'list_item', 'content': 'Monitor and restrict resize operations on root and ephemeral disks, especially those that might invoke qemu-img resize without format validation.'}, {'type': 'list_item', 'content': 'Review and audit image uploads to prevent malicious QCOW images from being injected.'}, {'type': 'list_item', 'content': 'If immediate upgrade is not possible, consider restricting access to compute nodes and limiting user permissions to reduce the risk of exploitation.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart