Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Kata Containers Security Update: Malformed Images Can Cause Filesystem Errors
OESA-2026-1599
Summary
A recent update fixes a problem in Kata Containers that could cause data corruption on the host machine when a container image is damaged or incomplete. This could lead to issues with file storage and potentially make the host machine's storage device read-only. To stay secure, update to version 3.26.0 or later.
What to do
- Update kata-containers-go to version 1.11.1-30.oe2403sp3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | kata-containers-go | <= 1.11.1-30.oe2403sp3 | 1.11.1-30.oe2403sp3 |
Original title
kata-containers-go security update
Original description
This is core component of Kata Container, to make it work, you need a isulad/docker engine.
Security Fix(es):
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.(CVE-2026-24054)
Security Fix(es):
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.(CVE-2026-24054)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24054 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026