CVE-2026-24708

NameCVE-2026-24708
DescriptionAn issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4486-1, DSA-6145-1
Debian Bugs1128294

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nova (PTS)bullseye2:22.0.1-2+deb11u1vulnerable
bullseye (security)2:22.4.0-1~deb11u7fixed
bookworm2:26.2.2-1~deb12u3vulnerable
bookworm (security)2:26.2.2-1~deb12u4fixed
trixie2:31.0.0-6+deb13u1vulnerable
trixie (security)2:31.0.0-6+deb13u2fixed
forky, sid2:32.1.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
novasourcebullseye2:22.4.0-1~deb11u7DLA-4486-1
novasourcebookworm2:26.2.2-1~deb12u4DSA-6145-1
novasourcetrixie2:31.0.0-6+deb13u2DSA-6145-1
novasource(unstable)2:32.1.0-71128294

Notes

https://www.openwall.com/lists/oss-security/2026/02/17/7
https://review.opendev.org/977100
Search for package or bug name: Reporting problems