cvedb.io
CVE-2026-24054
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2026-01-29T18:16:15.270 · Last modified 2026-06-17T10:22:31.847

Summary

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.

Affected products

katacontainers — kata_containers

Does this affect you?

Add your gear to cvedb and we'll alert you only when katacontainers ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.