OSSA-2026-002: Nova calls qemu-img without format restrictions for resize
| Property | Value |
|---|---|
| Date | 2026-02-17 |
| CVE | CVE-2026-24709 |
| Severity | High |
| Affected Project | Nova |
| Reporter | Dan Smith (Red Hat) |
Summary
A vulnerability was discovered in OpenStack Nova where malicious QCOW headers written to root
or ephemeral disks can trigger unsafe resize operations. When a resize is initiated, Nova's flat
image backend calls qemu-img without a format restriction, enabling potential data destruction
on host systems. Only systems using the flat image backend (typically with use_cow_images=False)
are affected.
Affected Versions
| Nova Version | Status |
|---|---|
| < 30.2.2 | Vulnerable |
| >= 31.0.0, < 31.2.1 | Vulnerable |
| >= 32.0.0, < 32.1.1 | Vulnerable |
| >= 30.2.2 (Dalmatian) | Fixed |
| >= 31.2.1 (Epoxy) | Fixed |
| >= 32.1.1 (Flamingo) | Fixed |
| >= 33.0.0 (Gazpacho) | Fixed |
Impact on OSISM
This vulnerability only affects OSISM deployments that use the flat image backend with
use_cow_images=False for the Nova compute service. Standard OSISM deployments use the
default configuration with COW images (use_cow_images=True) and are not affected.
You are potentially affected if:
- You have explicitly set
use_cow_images=Falsein your Nova compute configuration - You are using the flat image backend for instance disks
How to Check if You Are Affected
Check in the Configuration Repository
In OSISM, custom Nova configurations are managed in the configuration repository. Check if
use_cow_images has been set to False:
# In your configuration repository
grep -r "use_cow_images" environments/kolla/
grep -r "use_cow_images" inventory/
If no results are returned or the value is set to True, your deployment is not affected.
Check on the Running Deployment
Alternatively, check directly on a compute node:
docker exec nova_compute grep "use_cow_images" /etc/nova/nova.conf
If no results are returned or the value is True (the default), your deployment is
not affected.
Vulnerability Details
When a user initiates a resize (or migration) of an instance, Nova's flat image backend calls
qemu-img to process the disk images. The vulnerability arises because qemu-img is invoked
without restricting the expected image format. An attacker with access to an instance could write
malicious QCOW headers to a root or ephemeral disk. During a subsequent resize operation, the
crafted headers could cause qemu-img to misinterpret the disk contents, potentially leading to
data destruction on the host system.
Remediation
For OSISM Releases
A fix will be included in upcoming OSISM releases that ship a patched Nova version. Consult the OSISM Release Notes for version information and availability.
Alternatively, you can use rolling tags to override the Nova container images with versions
that include the fix. Configure the following in environments/kolla/images.yml:
nova_tag: "2024.2" # or "2025.1", depending on your OpenStack release
Mitigation
If you are using the flat image backend with use_cow_images=False, consider the following
measures:
- Switching to the default COW image backend by setting
use_cow_images=True - Restricting the ability to resize or migrate instances to trusted administrators
- Monitoring for unusual resize or migration operations