CVE-2026-24708
Unsafe Image Resize Vulnerability in OpenStack Nova Flat Backend
Publication date: 2026-02-18
Last updated on: 2026-02-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | nova | to 30.2.2 (exc) |
| openstack | nova | to 31.2.1 (exc) |
| openstack | nova | to 32.1.1 (exc) |
| openstack | nova | From 31.0.0 (inc) to 31.2.1 (exc) |
| openstack | nova | From 32.0.0 (inc) to 32.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24708 is a security vulnerability in OpenStack Nova affecting versions before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. It occurs when a malicious QCOW (QEMU Copy-On-Write) header is written to a root or ephemeral disk, and a resize operation is triggered. Nova's Flat image backend, typically configured with use_cow_images=False, calls the qemu-img tool without enforcing format restrictions during this resize."}, {'type': 'paragraph', 'content': "Because Nova assumes the disk image is raw and does not properly validate or flatten backing files, an attacker can craft malicious qcow2 images with backing files or use the qcow2 'data-file' attribute to cause unintended behavior. This can lead to unsafe image resize operations that may destroy or corrupt data on the host system."}, {'type': 'paragraph', 'content': 'Only compute nodes using the Flat image backend are affected. The vulnerability allows attackers to exploit the lack of format validation when qemu-img is invoked, potentially causing data destruction, corruption, or disruption of services.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including data destruction and corruption on the host system where OpenStack Nova compute nodes run. Attackers can exploit it to cause unsafe image resize operations that overwrite or zero out arbitrary files accessible via qcow2 image attributes.'}, {'type': 'list_item', 'content': 'Destruction or corruption of data on root and ephemeral disks.'}, {'type': 'list_item', 'content': 'Disruption of image caches by destroying cached backing files, leading to filesystem corruption symptoms.'}, {'type': 'list_item', 'content': 'Prevention of snapshot creation or recovery without manual intervention.'}, {'type': 'list_item', 'content': "Corruption of Nova's compute_id file, causing compute service restart failures."}, {'type': 'list_item', 'content': 'Denial of service by filling data disks through manipulation of resize size parameters.'}, {'type': 'paragraph', 'content': 'If compute nodes share image caches via shared storage, the impact can extend to multiple nodes or racks, amplifying the damage.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether your OpenStack Nova compute nodes are using the Flat image backend (usually configured with use_cow_images=false) and if they are running affected versions prior to 30.2.2, between 31.0.0 and 31.2.1, or between 32.0.0 and 32.1.1.
You can check the Nova configuration for the use_cow_images setting to confirm if the Flat image backend is in use.
Additionally, monitoring for suspicious resize operations on root or ephemeral disks that invoke qemu-img without format restrictions may help detect exploitation attempts.
While specific commands are not provided in the resources, you might consider commands such as:
- Checking Nova configuration: grep use_cow_images /etc/nova/nova.conf
- Listing running Nova versions: openstack --version or querying the package manager for installed nova versions
- Monitoring qemu-img resize calls in system logs or audit logs to detect unrestrained format usage
- Inspecting disk images for malicious QCOW headers or backing files using qemu-img info <image-file>
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade OpenStack Nova to a patched version: 30.2.2 or later, 31.2.1 or later, or 32.1.1 or later, as patches addressing this vulnerability have been submitted and released.'}, {'type': 'list_item', 'content': 'Ensure that the Flat image backend is not used if possible, or configure use_cow_images=True to avoid the unsafe invocation of qemu-img without format restrictions.'}, {'type': 'list_item', 'content': "Use Glance's format-inspector protections to reject qcow2 images with backing files or other unsafe attributes."}, {'type': 'list_item', 'content': 'Monitor and restrict resize operations on root and ephemeral disks, especially those that might invoke qemu-img resize without format validation.'}, {'type': 'list_item', 'content': 'Review and audit image uploads to prevent malicious QCOW images from being injected.'}, {'type': 'list_item', 'content': 'If immediate upgrade is not possible, consider restricting access to compute nodes and limiting user permissions to reduce the risk of exploitation.'}] [1, 2]