CVE-2026-24054: Kata Containers-Rootfs-Chaos - Wenn Containern Blöcke wachsen
Zusammenfassung
Eine Schwachstelle in Kata Containers vor Version 3.26.0 führt dazu, dass ein fehlerhaftes Container-Image den Host-Dateisystem-Takt durcheinander bringen kann. Ein Fallback-Mechanismus beim Starten des Containers verursacht Probleme beim Mounten des Rootfs, was Fehler auf Dateisystem-Ebene und sogar ein Read-Only-Mounting des Host-Blocks verursachen kann. Ein Patch in Version 3.26.0 behebt dieses Chaos.
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
Quelle: app.opencve.io