CVE-2026-33414
Description
Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/podman/v4Go | >= 4.8.0, <= 4.9.5 | — |
github.com/containers/podman/v5Go | < 5.8.2 | 5.8.2 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/falco-no-driverpkg:apk/chainguard/prometheus-podman-exporterpkg:apk/chainguard/prometheus-podman-exporter-fipspkg:apk/wolfi/falco-no-driverpkg:apk/wolfi/prometheus-podman-exporterpkg:golang/github.com/containers/podman/v4pkg:golang/github.com/containers/podman/v5pkg:rpm/opensuse/podman&distro=openSUSE%20Tumbleweed
< 0.44.0-r0+ 7 more
- (no CPE)range: < 0.44.0-r0
- (no CPE)range: < 1.21.0-r4
- (no CPE)range: < 1.21.0-r4
- (no CPE)range: < 0.44.0-r0
- (no CPE)range: < 1.21.0-r4
- (no CPE)range: >= 4.8.0, <= 4.9.5
- (no CPE)range: < 5.8.2
- (no CPE)range: < 5.8.2-1.1
Patches
Vulnerability mechanics
References
4- github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ednvdPatchWEB
- github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-hc8w-h2mf-hp59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33414ghsaADVISORY
News mentions
0No linked articles in our index yet.