CVE-2026-33414

NameCVE-2026-33414
DescriptionPodman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
podman (PTS)trixie5.4.2+ds1-2vulnerable
forky5.8.1+ds1-3vulnerable
sid5.8.2+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
podmansourcebullseye(not affected)
podmansourcebookworm(not affected)
podmansource(unstable)5.8.2+ds1-1unimportant

Notes

[bookworm] - podman <not-affected> (Vulnerable code not present)
[bullseye] - podman <not-affected> (Vulnerable code not present)
https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59
Fixed by: https://github.com/containers/podman/commit/6cffe93d888f0cfbf586ce4fb91ca85010d3f470 (v5.8.2)
Only affecting the Podman's HyperV machine backend.
Search for package or bug name: Reporting problems