SovereignCloudStack · garloff · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/blog/2026-02-17-cve-2026-24708.md b/blog/2026-02-17-cve-2026-24708.md
@@ -0,0 +1,103 @@
+---
+title: CVE-2026-24708 OpenStack Missing image format validation on resize
+authors: [garloff]
+slug: openstack_image_resize_missing_validation_cve_2026_24708
+tags: [security, openstack, cve]
+---
+
+## The vulnerability
+
+OpenStack supports a variety of image formats to ease migration from other
+virtualization platforms. The qemu-img tools are used to deal with these
+images. Unfortunately, OpenStack developers had to learn that qemu-img is
+not as robust as expected when dealing with untrusted images. This has lead to
+[CVE-2022-47951](https://sovereigncloudstack.org/community_blog/sovereign-cloud-stack-security-advisory-vmdk-image-processing-cve-2022-47951/)
+and
+[CVE-2024-32498](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-arbitrary-file-access-through-qcow2-external-data-file-cve-2024-32498/)
+and
+[CVE-2024-40767](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-incomplete-qcow2-and-vmdk-image-handling-protections-cve-2024-40767/)
+.
+
+Analyzing all potentially vulnerable code paths, at least one had been overlooked
+by developers before: When resizing VMs in Nova to a flavor with a new root
+disk/ephemeral disk size, and Nova's flat image backend is in use, `qemu-img` is called
+on the backing image file without an explicit format specifier, opening up the
+possibility to overwrite files on the host system by writing a malicious QCOW header
+to a root or ephemeral disk.
+
+This vulnerability has been assigned [CVE-2026-24708](https://nvd.nist.gov/vuln/detail/CVE-2026-24708).
+
+## Impact on the SCS software ecosystem
+
+By default, Nova uses cow images, i.e. `use_cow_images` in `nova.conf` defaults
+to `True`.
+
+This value is not changed in either [OSISM](https://osism.tech/) nor
+[yaook](https://alasca.cloud/en/projects/yaook/), so neither of these implementations
+is affected by the vulnerability. Operators need to have made a deliberate effort
+to override this setting.
+
+*If this setting is set to `False`, authenticated users may write malicious QCOW2
+or VMDK headers to the disk and then use the VM resize to overwrite files on the host
+with zeros, causing failure of the compute host.*
+
+The overwriting of arbitrary files with zeroes has been reproduced using QCOW
+headers; it may be possible to do more controlled damage (e.g. writing non-zeros)
+using more exotic features in e.g. the VMDK headers and this way cause more than
+a Denial-of-Service but gain privileges or exfiltrate data.
+
+Operators that are using `use_cow_images=False` in their nova config are
+advised to apply the fixes urgently or change this setting temporarily.
+
+## Embargo
+
+The issue has been reported to the OpenStack Vulnerability Management Team in
+private. The reporters and upstream developers have worked together to address
+the issue with fixes and an embargo date
+has been set to Tuesday, 2026-02-17, 15:00 UTC (16:00 CET). At this point in
+time, the patches get merged and the OpenStack Security Advisory
+[OSSA-2026-002](https://security.openstack.org/ossa/OSSA-2026-002.html) is
+published. The issue is tracked in OpenStack issue
+[#2137507](https://bugs.launchpad.net/nova/+bug/2137507), which should become
+publically accessible after the lift of the embargo and the publication
+of this advisory.
+
+Under the used responsible disclosure approach, the information was shared with
+a select group of trustable users of OpenStack, so they can prepare updates and
+protect their user data in time for the publication.
+
+## Mitigation and Fixes
+
+The temporary fix for this issue is to avoid `use_cow_images=false` in
+`/etc/nova.conf`. This will stop this issue from being triggered.
+Alternatively, full glance format-inspector protection should help against
+this.
+
+There are patches from the upstream OpenStack developers available. They work
+by passing `-f raw` to `qemu-img` when a resize happens with raw images and
+`-f qcow2` for QCOW2 images. Other images are disallowed for resizing.
+
+The SCS ecosystem software providers will provide fixed nova-compute images and
+installation instructions here as soon as the updated images are available:
+
+* [yaook](https://yaook.cloud/security-advisories-cve-2026-24708)
+* [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-002)
+
+## Thanks
+
+The author would like to thank Dan Smith, Jay Faulkner, Sylvain Bauza,
+Melanie Witt, and Jeremy Stanley for reporting, reproducing, fixing
+and coordinating this issue.
+
+<!-- BROKEN
+## Sovereign Cloud Stack Security Contact
+
+SCS security contact is <mailto:security@scs.community>, as published on
+<https://sovereigncloudstack.org/.well-known/security.txt>.
+-->
+
+## Version history
+
+* Mention glance format-inspector protection, v1.0, 2026-02-17, 15:30 CET.
+* Typos fixed, v0.6, 2026-02-16, 15:45 CET.
+* Initial Draft, v0.5, 2026-02-16, 15:00 CET.