Skip to main content

DNS CVE-2026-24054

CRITICAL
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-01-29 security-advisories@github.com
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Red Hat
7.3 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
PoC Detected
Feb 24, 2026 - 18:20 vuln.today
Public exploit code
Patch released
Feb 24, 2026 - 18:20 nvd
Patch available
CVE Published
Jan 29, 2026 - 18:16 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.

AnalysisAI

Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. PoC and patch available.

Technical ContextAI

CWE-754 improper check for unusual/exceptional conditions. Kata Containers uses lightweight VMs for container isolation — the escape breaks the VM boundary.

RemediationAI

Apply Kata Containers security update immediately.

More in DNS

View all
CVE-2019-25361 CRITICAL POC
9.8 Feb 18

Buffer overflow in Ayukov NFTP client 1.71 in SYST command handling allows remote FTP servers to execute arbitrary code

CVE-2019-25327 CRITICAL POC
9.8 Feb 12

Buffer overflow in Prime95 29.8 build 6 user ID field allows code execution. PoC available.

CVE-2019-25319 CRITICAL POC
9.8 Feb 12

Stack overflow in Domain Quester Pro 6.02 via SEH overwrite. PoC available.

CVE-2020-37095 CRITICAL POC
9.8 Feb 07

Cyberoam Authentication Client 2.1.2.7 has a buffer overflow allowing remote attackers to execute code through the netwo

CVE-2021-47774 CRITICAL POC
9.8 Jan 15

Kingdia CD Extractor 3.0.2 has a buffer overflow in the registration name field. PoC available.

CVE-2021-47785 CRITICAL POC
9.8 Jan 16

Ether MP3 CD Burner 1.3.8 has buffer overflow in registration enabling bind shell on port 3110 via SEH overwrite. PoC av

CVE-2019-25362 CRITICAL POC
9.8 Feb 18

Buffer overflow in WMV to AVI MPEG DVD Convertor 4.6.1217 allows code execution via crafted media files. PoC available.

CVE-2020-37119 CRITICAL POC
9.8 Feb 05

Stack-based buffer overflow in Nsauditor Network Auditing Tool 3.0.28 and 3.2.1.0 in the DNS Lookup tool allows attacker

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2026-2186 HIGH POC
8.8 Feb 08

Stack-based buffer overflow in Tenda RX3 firmware 16.03.13.11 allows authenticated remote attackers to achieve full syst

CVE-2026-3379 HIGH POC
8.8 Mar 01

Remote code execution in Tenda F453 1.0.0.3 DNS firmware via a buffer overflow in the /goform/SetIpBind endpoint allows

CVE-2019-25318 HIGH POC
8.8 Feb 12

AVS Audio Converter 9.1.2.600 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by

Vendor StatusVendor

Share

CVE-2026-24054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy