{"schema_version":"1.7.2","id":"OESA-2026-1599","modified":"2026-03-15T05:56:04Z","published":"2026-03-15T05:56:04Z","upstream":["CVE-2026-24054"],"summary":"kata-containers-go security update","details":"This is core component of Kata Container, to make it work, you need a isulad/docker engine.\r\n\r\nSecurity Fix(es):\n\nKata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.(CVE-2026-24054)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"kata-containers-go","purl":"pkg:rpm/openEuler/kata-containers-go&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.11.1-30.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["kata-containers-go-1.11.1-30.oe2403sp3.aarch64.rpm"],"src":["kata-containers-go-1.11.1-30.oe2403sp3.src.rpm"],"x86_64":["kata-containers-go-1.11.1-30.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1599"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24054"}],"database_specific":{"severity":"Critical"}}