Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN186 _____________________________________________________________________ DATE : 18/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nova versions <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1. ===================================================================== https://security.openstack.org/ossa/OSSA-2026-002.html _____________________________________________________________________ ========================================================================= OSSA-2026-002: Nova calls qemu-img without format restrictions for resize ========================================================================= :Date: January 17, 2026 :CVE: CVE-2026-24709 Affects ~~~~~~~ - Nova: <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1 Description ~~~~~~~~~~~ Dan Smith from Red Hat reported a vulnerability in nova. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected. Patches ~~~~~~~ - https://review.opendev.org/977104 (2024.2/dalmatian) - https://review.opendev.org/977103 (2025.1/epoxy) - https://review.opendev.org/977101 (2025.2/flamingo) - https://review.opendev.org/977100 (2026.1/gazpacho) Credits ~~~~~~~ - Dan Smith from Red Hat (CVE-2026-24708) References ~~~~~~~~~~ - https://launchpad.net/bugs/2137507 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24709 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================