CVE-2026-24708
Published: 18 February 2026
Summary
CVE-2026-24708 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Launchpad (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching OpenStack Nova to versions 30.2.2, 31.2.1, or 32.1.1 directly eliminates the vulnerability in the Flat image backend's unsafe qemu-img resize handling.
Information input validation on disk images enforces format restrictions on QCOW headers before resize operations, preventing malicious inputs from triggering unsafe qemu-img calls.
Secure configuration settings, such as enabling use_cow_images=True or avoiding the Flat image backend, block the vulnerable code path exploited by malicious QCOW headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary data destruction on the host via unsafe qemu-img resize of malicious QCOW images, mapping to Data Destruction and Disk Content Wipe.
NVD Description
An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image…
more
backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
Deeper analysisAI
CVE-2026-24708 is a vulnerability discovered in OpenStack Nova versions before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. It specifically affects compute nodes configured to use the Flat image backend, typically with the use_cow_images=False setting. The flaw arises when a malicious QCOW header is written to a root or ephemeral disk and a resize operation is triggered, causing Nova's Flat image backend to invoke qemu-img without format restrictions. This results in an unsafe image resize operation capable of destroying data on the host system. The vulnerability is classified under CWE-669 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H).
A low-privileged user (PR:L) with network access (AV:N) can exploit this vulnerability by crafting and writing a malicious QCOW header to an accessible root or ephemeral disk, then triggering a resize operation. The attack requires high complexity (AC:H) and no user interaction (UI:N), but achieves a changed scope (S:C), enabling high-impact integrity (I:H) and availability (A:H) disruption with no confidentiality effects (C:N). Successful exploitation leads to arbitrary data destruction on the affected host compute node.
Advisories recommend updating to OpenStack Nova 30.2.2, 31.2.1, or 32.1.1 or later to mitigate the issue. Further details on patches and affected configurations are provided in the Launchpad bug report at https://bugs.launchpad.net/nova/+bug/2137507, the oss-security announcement at https://www.openwall.com/lists/oss-security/2026/02/17/7, and the Debian LTS notice at https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html. Only Flat image backend deployments are impacted, so verifying configurations is advised prior to upgrades.
Details
- CWE(s)