Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708)

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Tue, Feb 17, 2026 at 03:01:31PM +0000, Jeremy Stanley wrote:
> =========================================================================
> OSSA-2026-002: Nova calls qemu-img without format restrictions for resize
> =========================================================================
>
> :Date: January 17, 2026
> :CVE: CVE-2026-24709
>
> Affects
> ~~~~~~~
> - Nova: <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1
>
> Description
> ~~~~~~~~~~~
> Dan Smith from Red Hat reported a vulnerability in nova. By writing a
> malicious QCOW header to a root or ephemeral disk and then triggering a
> resize, a user may convince Nova's flat image backend to call qemu-img
> without a format restriction resulting in an unsafe image resize operation
> that could destroy data on the host system. Only compute nodes using the
> Flat image backend (usually configured with use_cow_images=False) are
> affected.
>
> Patches
> ~~~~~~~
> - https://review.opendev.org/977104 (2024.2/dalmatian)
> - https://review.opendev.org/977103 (2025.1/epoxy)
> - https://review.opendev.org/977101 (2025.2/flamingo)
> - https://review.opendev.org/977100 (2026.1/gazpacho)
>
> Credits
> ~~~~~~~
> - Dan Smith from Red Hat (CVE-2026-24708)
>
> References
> ~~~~~~~~~~
> - https://launchpad.net/bugs/2137507
> - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24709

Just a small heads-up: The title mentions CVE-2026-24708, but the mail
body once CVE-2026-24708 and refers to CVE-2026-24709. My
understandign is that CVE-2026-24708 should be the correct one as this
was the CVE originally mentioned.

Jeremy, can you confirm: CVE-2026-2470*8* is the one to use?

Regards,
Salvatore