|
| 1 | +--- |
| 2 | +title: CVE-2026-24708 OpenStack Missing image format validation on resize |
| 3 | +authors: [garloff] |
| 4 | +slug: openstack_image_resize_missing_validation_cve_2026_24708 |
| 5 | +tags: [security, openstack, cve] |
| 6 | +--- |
| 7 | + |
| 8 | +## The vulnerability |
| 9 | + |
| 10 | +OpenStack supports a variety of image formats to ease migration from other |
| 11 | +virtualization platforms. The qemu-img tools are used to deal with these |
| 12 | +images. Unfortunately, OpenStack developers had to learn that qemu-img is |
| 13 | +not as robust as expected when dealing with untrusted images. This has lead to |
| 14 | +[CVE-2022-47951](https://sovereigncloudstack.org/community_blog/sovereign-cloud-stack-security-advisory-vmdk-image-processing-cve-2022-47951/) |
| 15 | +and |
| 16 | +[CVE-2024-32498](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-arbitrary-file-access-through-qcow2-external-data-file-cve-2024-32498/) |
| 17 | +and |
| 18 | +[CVE-2024-40767](https://sovereigncloudstack.org/community_blog/scs-security-advisory-on-incomplete-qcow2-and-vmdk-image-handling-protections-cve-2024-40767/) |
| 19 | +. |
| 20 | + |
| 21 | +Analyzing all potentially vulnerable code paths, at least one had been overlooked |
| 22 | +by developers before: When resizing VMs in Nova to a flavor with a new root |
| 23 | +disk/ephemeral disk size, and Nova's flat image backend is in use, `qemu-img` is called |
| 24 | +on the backing image file without an explicit format specifier, opening up the |
| 25 | +possibility to overwrite files on the host system by writing a malicious QCOW header |
| 26 | +to a root or ephemeral disk. |
| 27 | + |
| 28 | +This vulnerability has been assigned [CVE-2026-24708](https://nvd.nist.gov/vuln/detail/CVE-2026-24708). |
| 29 | + |
| 30 | +## Impact on the SCS software ecosystem |
| 31 | + |
| 32 | +By default, Nova uses cow images, i.e. `use_cow_images` in `nova.conf` defaults |
| 33 | +to `True`. |
| 34 | + |
| 35 | +This value is not changed in either [OSISM](https://osism.tech/) nor |
| 36 | +[yaook](https://alasca.cloud/en/projects/yaook/), so neither of these implementations |
| 37 | +is affected by the vulnerability. Operators need to have made a deliberate effort |
| 38 | +to override this setting. |
| 39 | + |
| 40 | +*If this setting is set to `False`, authenticated users may write malicious QCOW2 |
| 41 | +or VMDK headers to the disk and then use the VM resize to overwrite files on the host |
| 42 | +with zeros, causing failure of the compute host.* |
| 43 | + |
| 44 | +The overwriting of arbitrary files with zeroes has been reproduced using QCOW |
| 45 | +headers; it may be possible to do more controlled damage (e.g. writing non-zeros) |
| 46 | +using more exotic features in e.g. the VMDK headers and this way cause more than |
| 47 | +a Denial-of-Service but gain privileges or exfiltrate data. |
| 48 | + |
| 49 | +Operators that are using `use_cow_images=False` in their nova config are |
| 50 | +advised to apply the fixes urgently or change this setting temporarily. |
| 51 | + |
| 52 | +## Embargo |
| 53 | + |
| 54 | +The issue has been reported to the OpenStack Vulnerability Management Team in |
| 55 | +private. The reporters and upstream developers have worked together to address |
| 56 | +the issue with fixes and an embargo date |
| 57 | +has been set to Tuesday, 2026-02-17, 15:00 UTC (16:00 CET). At this point in |
| 58 | +time, the patches get merged and the OpenStack Security Advisory |
| 59 | +[OSSA-2026-002](https://security.openstack.org/ossa/OSSA-2026-002.html) is |
| 60 | +published. The issue is tracked in OpenStack issue |
| 61 | +[#2137507](https://bugs.launchpad.net/nova/+bug/2137507), which should become |
| 62 | +publically accessible after the lift of the embargo and the publication |
| 63 | +of this advisory. |
| 64 | + |
| 65 | +Under the used responsible disclosure approach, the information was shared with |
| 66 | +a select group of trustable users of OpenStack, so they can prepare updates and |
| 67 | +protect their user data in time for the publication. |
| 68 | + |
| 69 | +## Mitigation and Fixes |
| 70 | + |
| 71 | +The temporary fix for this issue is to avoid `use_cow_images=false` in |
| 72 | +`/etc/nova.conf`. This will stop this issue from being triggered. |
| 73 | +Alternatively, full glance format-inspector protection should help against |
| 74 | +this. |
| 75 | + |
| 76 | +There are patches from the upstream OpenStack developers available. They work |
| 77 | +by passing `-f raw` to `qemu-img` when a resize happens with raw images and |
| 78 | +`-f qcow2` for QCOW2 images. Other images are disallowed for resizing. |
| 79 | + |
| 80 | +The SCS ecosystem software providers will provide fixed nova-compute images and |
| 81 | +installation instructions here as soon as the updated images are available: |
| 82 | + |
| 83 | +* [yaook](https://yaook.cloud/security-advisories-cve-2026-24708) |
| 84 | +* [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-002) |
| 85 | + |
| 86 | +## Thanks |
| 87 | + |
| 88 | +The author would like to thank Dan Smith, Jay Faulkner, Sylvain Bauza, |
| 89 | +Melanie Witt, and Jeremy Stanley for reporting, reproducing, fixing |
| 90 | +and coordinating this issue. |
| 91 | + |
| 92 | +<!-- BROKEN |
| 93 | +## Sovereign Cloud Stack Security Contact |
| 94 | +
|
| 95 | +SCS security contact is <mailto:security@scs.community>, as published on |
| 96 | +<https://sovereigncloudstack.org/.well-known/security.txt>. |
| 97 | +--> |
| 98 | + |
| 99 | +## Version history |
| 100 | + |
| 101 | +* Mention glance format-inspector protection, v1.0, 2026-02-17, 15:30 CET. |
| 102 | +* Typos fixed, v0.6, 2026-02-16, 15:45 CET. |
| 103 | +* Initial Draft, v0.5, 2026-02-16, 15:00 CET. |
0 commit comments