OSSA-2026-002: Nova calls qemu-img without format restrictions for resize

Date:

January 17, 2026

CVE:

CVE-2026-24708

Affects

• Nova: <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1

Description

Dan Smith from Red Hat reported a vulnerability in nova. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova’s flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.

Errata

The original advisory incorrectly referred and linked to CVE-2026-24709 in some places, but CVE-2026-24708 is the correct identifier.

Patches

• https://review.opendev.org/977104 (2024.2/dalmatian)

• https://review.opendev.org/977103 (2025.1/epoxy)

• https://review.opendev.org/977101 (2025.2/flamingo)

• https://review.opendev.org/977100 (2026.1/gazpacho)

Credits

• Dan Smith from Red Hat (CVE-2026-24708)

References

• https://launchpad.net/bugs/2137507

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24708

OSSA History

• 2026-02-17 - Errata 1

• 2026-02-17 - Original Version