High severity8.2NVD Advisory· Published Feb 18, 2026· Updated Apr 15, 2026
CVE-2026-24708
CVE-2026-24708
Description
An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
NovaPyPI | >= 32.0.0.0rc1, <= 32.1.0 | — |
NovaPyPI | >= 31.0.0.0rc1, <= 31.2.0 | — |
NovaPyPI | <= 30.2.1 | — |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-m4f3-qp2w-gwh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24708ghsaADVISORY
- bugs.launchpad.net/nova/+bug/2137507nvdWEB
- github.com/openstack/nova/commit/3eba22ff09c81a61750fbb4882e5f1f01a20fdf5ghsaWEB
- lists.debian.org/debian-lts-announce/2026/02/msg00025.htmlnvdWEB
- www.openwall.com/lists/oss-security/2026/02/17/7nvdWEB
News mentions
0No linked articles in our index yet.