CVE-2026-24834

CRITICAL 9.4

Kata Container to Guest micro VM privilege escalation

CVSS Score

9.4

EPSS Score

0.0%

EPSS Percentile

0th

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.

CWE	CWE-732
Vendor	kata-containers
Product	kata-containers
Published	Feb 19, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for kata-containers kata-containers

Be the first to know when new critical vulnerabilities affecting kata-containers kata-containers are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

kata-containers / kata-containers

< 3.27.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kata-containers/kata-containers/security/advisories/GHSA-wwj6-vghv-5p64 github.com: https://github.com/kata-containers/kata-containers/commit/6a672503973bf7c687053e459bfff8a9652e16bf github.com: https://github.com/kata-containers/kata-containers/releases/tag/3.27.0