CVE-2026-24708 is a vulnerability classified under CWE-669 (Incorrect Resource Transfer Between Spheres) found in OpenStack Nova, a core component of the OpenStack cloud computing platform responsible for managing compute instances. The issue affects Nova versions before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. The vulnerability is triggered when a malicious user writes a crafted QCOW (QEMU Copy-On-Write) image header to a root or ephemeral disk and then initiates a resize operation on that disk. Specifically, on compute nodes configured to use the Flat image backend (typically when use_cow_images=False), Nova calls the qemu-img tool to resize the image without enforcing format restrictions. This lack of validation allows the malicious QCOW header to cause qemu-img to perform unsafe operations that can corrupt or destroy data on the host system's storage. The vulnerability requires low privileges (a user with limited access) but does not require user interaction, and it affects the integrity and availability of the host system by potentially destroying critical data. The scope is limited to compute nodes using the Flat image backend, which is less common than the default copy-on-write image backend. No public exploits have been reported yet, but the CVSS v3.1 score of 8.2 (high severity) reflects the serious risk posed by this vulnerability. The underlying weakness is an incorrect transfer of control and resource handling between Nova and qemu-img, leading to unsafe execution of image resizing commands.

The impact of CVE-2026-24708 is significant for organizations running OpenStack Nova with the Flat image backend configuration. Successful exploitation can lead to destruction or corruption of data on the host system, affecting the integrity and availability of compute node storage. This can cause downtime for virtual machines, loss of critical data, and potential disruption of cloud services hosted on affected infrastructure. Since the vulnerability allows low-privileged users to cause host-level damage, it increases the risk of insider threats or compromised tenant accounts causing widespread damage. Organizations relying on OpenStack for private or public cloud infrastructure may face service outages, data loss, and costly recovery efforts. The vulnerability does not directly affect confidentiality but poses a high risk to operational continuity and data integrity. Given the widespread use of OpenStack in enterprise and service provider environments, the potential scope of impact is broad, especially in deployments that have not adopted the recommended copy-on-write image backend.

To mitigate CVE-2026-24708, organizations should upgrade OpenStack Nova to versions 30.2.2, 31.2.1, 32.1.1 or later where the vulnerability is patched. If immediate upgrading is not feasible, administrators should avoid using the Flat image backend by setting use_cow_images=True to enable the safer copy-on-write image backend, which is not affected by this vulnerability. Additionally, restrict permissions to prevent untrusted or low-privileged users from writing arbitrary QCOW headers to root or ephemeral disks. Implement strict access controls and monitoring on compute nodes to detect suspicious image resize operations. Regularly audit and validate image files before resizing to ensure they conform to expected formats. Employ host-level file integrity monitoring to detect unauthorized modifications. Finally, maintain up-to-date backups of critical data and virtual machine images to enable recovery in case of data destruction.