Skip to main content

Microsoft CVE-2026-33414

MEDIUM
OS Command Injection (CWE-78)
2026-04-14 https://github.com/containers/podman GHSA-hc8w-h2mf-hp59
4.0
CVSS 4.0 · Vendor: https://github.com/containers/podman
Share

Severity by source

Vendor (https://github.com/containers/podman) PRIMARY
4.0 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/containers/podman).

CVSS VectorVendor: https://github.com/containers/podman

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 01:12 vuln.today
CVSS changed
Apr 14, 2026 - 23:22 NVD
4.0 (MEDIUM)
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
Patch released
Apr 14, 2026 - 22:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 22:30 nvd
MEDIUM 4.0

DescriptionCVE.org

Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

Affected Code

File: pkg/machine/hyperv/stubber.go:647

go
resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)

Root Cause

PowerShell evaluates $() subexpressions inside double-quoted strings before executing the outer command. The fmt.Sprintf call places the user-controlled image path directly into double quotes without escaping or sanitization.

Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.

Patch

https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

Credit

We like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.

AnalysisAI

Command injection in Podman's HyperV machine backend allows local administrators with high privileges to execute arbitrary PowerShell commands at SYSTEM level on Windows hosts by crafting a malicious VM image path containing PowerShell subexpression syntax. The vulnerability affects Podman v4 and v5 on Windows only; a vendor patch is available via commit 571c842.

Technical ContextAI

Podman's HyperV backend (pkg/machine/hyperv/stubber.go) constructs PowerShell commands to manage virtual disk images using fmt.Sprintf to inject user-controlled image paths into double-quoted PowerShell strings. PowerShell interprets $() subexpressions within double quotes before command execution, enabling injection of arbitrary commands. The root cause is CWE-78 (OS Command Injection): unsanitized user input (VM image path derived from machine name or image directory) flows directly into a shell command context without escaping or validation. The affected code path is exclusive to Windows; Linux, macOS, and other platforms use alternative machine backends and are unaffected.

RemediationAI

Vendor-released patch: apply the fix from upstream commit 571c842bd357ee626019ea97d030fb772fc654ed, which properly escapes the image path argument before insertion into the PowerShell command string. Users should update Podman to the next stable release containing this commit. Until patching is possible, operators should restrict the ability to create Podman machines to trusted administrative users and avoid using untrusted or user-supplied values for VM image paths or machine names. For additional details and to verify patch availability for your specific Podman version, consult the GitHub security advisory at https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-33414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy