CVE-2026-41326

Kata Containers: CopyFile Policy Subversion via Symlinks

CVSS 8.2 HIGHEPSS 0.3%CWE-61

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.2EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

24 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N

Productos afectados

kata-containers · kata-containers

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/kata-containers/kata-containers/commit/1b9e49eb2763aa6ea6a99b276d3ff5e2c7f658f2 https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc http://www.openwall.com/lists/oss-security/2026/05/13/2