CVE-2026-24054
Published: 29 January 2026
Summary
CVE-2026-24054 is a critical-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Katacontainers Kata Containers. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by upgrading to Kata Containers 3.26.0 directly patches the bind-mount fallback and block device hotplug issue, preventing host filesystem disruption from malformed container images.
Vulnerability scanning detects Kata Containers versions prior to 3.26.0 and triggers remediation to address the critical flaw exploitable via crafted images.
Validating container images at runtime entry points for proper layers and structure blocks malformed inputs that trigger the faulty containerd fallback bind-mount.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of container runtime (public-facing) via crafted image directly triggers host DoS via system exploitation and filesystem impact.
NVD Description
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to…
more
bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-24054 is a critical vulnerability (CVSS 3.1 score of 10.0) affecting Kata Containers versions prior to 3.26.0, an open source project providing lightweight Virtual Machines that emulate container performance. The issue arises in conjunction with containerd: when a container image is malformed or lacks layers, containerd falls back to bind-mounting an empty snapshotter directory as the container rootfs. During the Kata runtime's attempt to mount this rootfs, the bind mount is misinterpreted as a block device, resulting in the underlying host device being hotplugged into the guest VM. This triggers filesystem-level errors on the host, such as double inode allocation, and can cause the host's block device to mount as read-only (CWE-754).
A remote attacker with network access can exploit this vulnerability without privileges, user interaction, or special complexity (AV:N/AC:L/PR:N/UI:N/S:C). By deploying a specially crafted container image with no layers or malformed content to a vulnerable Kata Containers deployment, the attacker triggers the faulty bind-mount and hotplug behavior. Successful exploitation disrupts host filesystem integrity, leading to errors from inode conflicts and rendering affected block devices read-only, potentially denying write access and causing broader system instability.
Mitigation is available via the patch in Kata Containers version 3.26.0, as detailed in the project's security advisory (GHSA-5fc8-gg7w-3g5c) and related commits. Security practitioners should upgrade affected deployments immediately and review the referenced code changes in containerd's overlay snapshot plugin and Kata's virtcontainers module for implementation details.
Details
- CWE(s)