CVE-2020-2026 — Link Following in Kata Runtime

Description

A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.

How to fix CVE-2020-2026

To remediate CVE-2020-2026, upgrade the affected package to a fixed version below.

—upgrade to 1.9.1 or later

Is CVE-2020-2026 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.9.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2026
WEBgithub.com/kata-containers/runtime/issues/2712
WEBgithub.com/kata-containers/runtime/pull/2713
WEBgithub.com/kata-containers/runtime/releases/tag/1.10.5
WEB