Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XKatacontainers Kata Containers
APPKatacontainers< 3.26.0
Related vulnerabilities
Kata Containers: modyfikacja systemu plików VM umożliwia RCE jako root
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machine...
An issue was discovered in Kata Containers through 1.11.3 and 2.x through 2.0-rc1. The runtime will execute bi...
An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes ho...
A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running mul...