Bug 2430312 (CVE-2026-24708)

Summary: CVE-2026-24708 openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: eglynn, jjoyce, jschluet, lhh, mburns, mgarciac, mmagr, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-02-17   

Description OSIDB Bzimport 2026-01-16 06:34:39 UTC 
Unconstrained disk format handling vulnerability in OpenStack Nova when invoking the qemu-img utility. The flaw occurs because Nova does not strictly enforce the expected disk image format before calling qemu-img. An authenticated attacker can write a crafted QCOW2 header to a raw ephemeral or root disk. When Nova later performs operations such as instance resize, qemu-img interprets the disk as QCOW2 and overwrites arbitrary files on the compute host that Nova has write access to. This can be exploited without additional privileges or user interaction, allowing attackers to destroy other users’ data, corrupt Nova-managed files, or cause denial of service on the compute node.