Source: nova Version: 2:31.0.0-6+deb13u1 Severity: grave copying pre-OSSA:
This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Dan Smith from Red Hat reported a vulnerability in nova. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. CVE: CVE-2026-24708 Proposed public disclosure date/time: 2026-02-17 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/2137507 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you. -- Jay Faulkner OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
