diff --git a/blog/2026-02-17-cve-2026-24708.md b/blog/2026-02-17-cve-2026-24708.md new file mode 100644 index 0000000000..3174d1f12e --- /dev/null +++ b/blog/2026-02-17-cve-2026-24708.md @@ -0,0 +1,103 @@ +--- +title: CVE-2026-24708 OpenStack Missing image format validation on resize +authors: [garloff] +slug: openstack_image_resize_missing_validation_cve_2026_24708 +tags: [security, openstack, cve] +--- + +## The vulnerability + +OpenStack supports a variety of image formats to ease migration from other +virtualization platforms. The qemu-img tools are used to deal with these +images. Unfortunately, OpenStack developers had to learn that qemu-img is +not as robust as expected when dealing with untrusted images. This has lead to +[CVE-2022-47951](https://sovereigncloudstack.org/community_blog/sovereign-cloud-stack-security-advisory-vmdk-image-processing-cve-2022-47951/) +and +[CVE-2024-32498](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-arbitrary-file-access-through-qcow2-external-data-file-cve-2024-32498/) +and +[CVE-2024-40767](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-incomplete-qcow2-and-vmdk-image-handling-protections-cve-2024-40767/) +. + +Analyzing all potentially vulnerable code paths, at least one had been overlooked +by developers before: When resizing VMs in Nova to a flavor with a new root +disk/ephemeral disk size, and Nova's flat image backend is in use, `qemu-img` is called +on the backing image file without an explicit format specifier, opening up the +possibility to overwrite files on the host system by writing a malicious QCOW header +to a root or ephemeral disk. + +This vulnerability has been assigned [CVE-2026-24708](https://nvd.nist.gov/vuln/detail/CVE-2026-24708). + +## Impact on the SCS software ecosystem + +By default, Nova uses cow images, i.e. `use_cow_images` in `nova.conf` defaults +to `True`. + +This value is not changed in either [OSISM](https://osism.tech/) nor +[yaook](https://alasca.cloud/en/projects/yaook/), so neither of these implementations +is affected by the vulnerability. Operators need to have made a deliberate effort +to override this setting. + +*If this setting is set to `False`, authenticated users may write malicious QCOW2 +or VMDK headers to the disk and then use the VM resize to overwrite files on the host +with zeros, causing failure of the compute host.* + +The overwriting of arbitrary files with zeroes has been reproduced using QCOW +headers; it may be possible to do more controlled damage (e.g. writing non-zeros) +using more exotic features in e.g. the VMDK headers and this way cause more than +a Denial-of-Service but gain privileges or exfiltrate data. + +Operators that are using `use_cow_images=False` in their nova config are +advised to apply the fixes urgently or change this setting temporarily. + +## Embargo + +The issue has been reported to the OpenStack Vulnerability Management Team in +private. The reporters and upstream developers have worked together to address +the issue with fixes and an embargo date +has been set to Tuesday, 2026-02-17, 15:00 UTC (16:00 CET). At this point in +time, the patches get merged and the OpenStack Security Advisory +[OSSA-2026-002](https://security.openstack.org/ossa/OSSA-2026-002.html) is +published. The issue is tracked in OpenStack issue +[#2137507](https://bugs.launchpad.net/nova/+bug/2137507), which should become +publically accessible after the lift of the embargo and the publication +of this advisory. + +Under the used responsible disclosure approach, the information was shared with +a select group of trustable users of OpenStack, so they can prepare updates and +protect their user data in time for the publication. + +## Mitigation and Fixes + +The temporary fix for this issue is to avoid `use_cow_images=false` in +`/etc/nova.conf`. This will stop this issue from being triggered. +Alternatively, full glance format-inspector protection should help against +this. + +There are patches from the upstream OpenStack developers available. They work +by passing `-f raw` to `qemu-img` when a resize happens with raw images and +`-f qcow2` for QCOW2 images. Other images are disallowed for resizing. + +The SCS ecosystem software providers will provide fixed nova-compute images and +installation instructions here as soon as the updated images are available: + +* [yaook](https://yaook.cloud/security-advisories-cve-2026-24708) +* [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-002) + +## Thanks + +The author would like to thank Dan Smith, Jay Faulkner, Sylvain Bauza, +Melanie Witt, and Jeremy Stanley for reporting, reproducing, fixing +and coordinating this issue. + + + +## Version history + +* Mention glance format-inspector protection, v1.0, 2026-02-17, 15:30 CET. +* Typos fixed, v0.6, 2026-02-16, 15:45 CET. +* Initial Draft, v0.5, 2026-02-16, 15:00 CET.