CVE-2026-24054
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
4Tags
Description
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
Analysis
Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Kata Containers versions prior to 3.26.0 and assess exposure in production environments. Within 7 days: Apply vendor patch to upgrade Kata Containers to version 3.26.0 or later across all affected systems, beginning with critical infrastructure and production workloads. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today