[OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) errata 1

[Jeremy Stanley <fungi () yuggoth org>]

=========================================================================
OSSA-2026-002: Nova calls qemu-img without format restrictions for resize
=========================================================================

:Date: January 17, 2026
:CVE: CVE-2026-24708

Affects
~~~~~~~
- Nova: <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1

Description
~~~~~~~~~~~
Dan Smith from Red Hat reported a vulnerability in nova. By writing 
a malicious QCOW header to a root or ephemeral disk and then 
triggering a resize, a user may convince Nova's flat image backend 
to call qemu-img without a format restriction resulting in an unsafe 
image resize operation that could destroy data on the host system. 
Only compute nodes using the Flat image backend (usually configured 
with use_cow_images=False) are affected.

Errata
~~~~~~
The original advisory incorrectly referred and linked to 
CVE-2026-24709 in some places, but CVE-2026-24708 is the correct 
identifier.

Patches
~~~~~~~
- https://review.opendev.org/977104 (2024.2/dalmatian)
- https://review.opendev.org/977103 (2025.1/epoxy)
- https://review.opendev.org/977101 (2025.2/flamingo)
- https://review.opendev.org/977100 (2026.1/gazpacho)

Credits
~~~~~~~
- Dan Smith from Red Hat (CVE-2026-24708)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2137507
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24708

OSSA History
~~~~~~~~~~~~
- 2026-02-17 - Errata 1
- 2026-02-17 - Original Version

--
Jeremy Stanley
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: signature.asc
Description: