Description
An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
Published: 2026-02-18
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Host File Overwrite
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is in OpenStack Nova prior to certain releases and allows a malicious QCOW header to be written to a root or temporary disk and then used to trigger a resize operation. Because the Flat image backend calls qemu‑img without a format restriction, the resize can overwrite arbitrary files on the host system, potentially destroying critical data or configuration. The weakness is tied to CWE‑669 “Security Function” and CWE‑73 “Path Manipulation.”

Affected Systems

Affected systems are compute nodes that use the Flat image backend in OpenStack Nova, with the configuration use_cow_images set to False. The issue applies to Nova versions earlier than 30.2.2, 31.2.1, and 32.1.1.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, though the EPSS score of less than 1% implies a low exploitation likelihood. The vulnerability is not listed in KEV. Attackers need the ability to create and upload a malicious image or QCOW header and must target a compute node configured with the Flat backend, which limits the attack surface to environments that have enabled this feature. Based on the description, it is inferred that the attack vector is internal to the compute service and requires authenticated actions to create or trigger the unsafe resize.

Generated by OpenCVE AI on April 17, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Nova release 30.2.2 or later, 31.2.1 or later, or 32.1.1 or later, to receive the fix that restricts qemu‑img format handling.
  • Reconfigure compute nodes to disable the Flat image backend or set use_cow_images=True to enforce copy‑on‑write.
  • If immediate update is not possible, restrict image uploads to trusted formats, validate QCOW headers before allowing resized images, and avoid using the Flat backend.

Generated by OpenCVE AI on April 17, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4486-1 nova security update
Debian DSA Debian DSA DSA-6145-1 nova security update
Github GHSA Github GHSA GHSA-m4f3-qp2w-gwh6 OpenStack Nova calls qemu-img without format restrictions for resize
Ubuntu USN Ubuntu USN USN-8049-1 Nova vulnerability
History

Sat, 21 Feb 2026 05:30:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Openstack compute
Vendors & Products Openstack compute

Wed, 18 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize. An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
First Time appeared Openstack
Openstack nova
Weaknesses CWE-669
CPEs cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack nova
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Wed, 18 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw in OpenStack Nova’s interaction with the qemu-img utility allows an authenticated user to overwrite arbitrary files on the compute host. This occurs because Nova invokes qemu-img without strictly constraining the disk image format, enabling a malicious user to craft a QCOW2 header on a raw disk and trigger destructive behavior during instance operations such as resize.
Title openstack-nova-compute: Arbitrary Host File Overwrite via Unconstrained qemu-img Format Handling in OpenStack Nova
Weaknesses CWE-73
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

threat_severity

Important

Subscriptions

Openstack Compute Nova
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-21T04:31:45.294Z

Reserved: 2026-01-24T00:00:00.000Z

Link: CVE-2026-24708

cve-icon Vulnrichment

Updated: 2026-02-21T04:31:45.294Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T18:24:33.087

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24708

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-17T15:00:00Z

Links: CVE-2026-24708 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses