CVE-2026-41326

CVE-2026-41326 is a high-severity security vulnerability in github.com/kata-containers/kata-containers (go), affecting versions < 0.0.0-20260422180503-1b9e49eb2763. It is fixed in 0.0.0-20260422180503-1b9e49eb2763.

Summary

An oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs.

Details

Here is the policy that covers CopyFile requests.

CopyFileRequest if {
    print("CopyFileRequest: input.path =", input.path)
        
    check_directory_traversal(input.path)
        
    some regex1 in policy_data.request_defaults.CopyFileRequest
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
    regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
    print("CopyFileRequest: regex4 =", regex4)
    
    regex.match(regex4, input.path)
      
    print("CopyFileRequest: true")
}

This checks that files are being copied to policy_data.common.cpath, which is typically set to /run/kata-containers/shared/containers. In other words, you're allowed to copy files to anywhere inside the shared dir.

For reference, here is the CopyFile message. Note that none of the other fields are check in the policy.

message CopyFileRequest {
	// Path is the destination file in the guest. It must be absolute,
	// canonical and below /run.
	string path = 1;
	// FileSize is the expected file size, for security reasons write operations
	// are made in a temporary file, once it has the expected size, it's moved
	// to the destination path.
	int64 file_size = 2;
	// FileMode is the file mode.
	uint32 file_mode = 3;
	// DirMode is the mode for the parent directories of destination path.
	uint32 dir_mode = 4;
	// Uid is the numeric user id.
	int32 uid = 5;
	// Gid is the numeric group id.
	int32 gid = 6;
	// Offset for the next write operation.
	int64 offset = 7;
	// Data to write in the destination file.
	bytes data = 8;
}

In addition to copying files directly, the Kata Agent supports creating symlinks via the CopyFile API. In this case the path is the symlink name and the data field contains the symlink target. Given that the policy only checks the path, an attacker can craft a CopyFile request that results in a symlink going from any location into the shared dir.

PoC

The above primitive can be used to to write arbitrary data into container images (pulled in the guest or otherwise). A couple steps are required.

First, identify some target path in the guest image. This could be a binary that will be called by the workload. You could also experiment with overwriting other stuff.

Create a symlink from this binary to the shared dir. The path/link name should be in the shared dir and the data/target should point to the path of the target file inside the container image in the guest fs.

Create a second CopyFile request to copy your data from the host into the symlink you just created in the shared dir. This will then be propagated into the image. You may want to restart the container to ensure that your new binary is invoked.

Impact

Anyone who is using the upstream genpolicy implementation and expects it to prevent host access to container images is vulnerable This includes Confidential Containers workloads where the trust model explicitly forbids this type of access. If you have your own policy implementation you may or may not be vulnerable. If you do not care about protecting the image from the host (e.g. you are using unprotected host pull), you are not vulnerable.

This was individually discovered and reported by

  • @calonso-nv
  • @fikriwahab
  • @kodareef5

CVE-2026-41326 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260422180503-1b9e49eb2763); upgrading removes the vulnerable code path.

Affected versions

github.com/kata-containers/kata-containers (< 0.0.0-20260422180503-1b9e49eb2763)

Security releases

github.com/kata-containers/kata-containers → 0.0.0-20260422180503-1b9e49eb2763 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/kata-containers/kata-containers to 0.0.0-20260422180503-1b9e49eb2763 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41326? CVE-2026-41326 is a high-severity security vulnerability in github.com/kata-containers/kata-containers (go), affecting versions < 0.0.0-20260422180503-1b9e49eb2763. It is fixed in 0.0.0-20260422180503-1b9e49eb2763.
  2. How severe is CVE-2026-41326? CVE-2026-41326 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/kata-containers/kata-containers are affected by CVE-2026-41326? github.com/kata-containers/kata-containers (go) versions < 0.0.0-20260422180503-1b9e49eb2763 is affected.
  4. Is there a fix for CVE-2026-41326? Yes. CVE-2026-41326 is fixed in 0.0.0-20260422180503-1b9e49eb2763. Upgrade to this version or later.
  5. Is CVE-2026-41326 exploitable, and should I be worried? Whether CVE-2026-41326 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41326 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41326? Upgrade github.com/kata-containers/kata-containers to 0.0.0-20260422180503-1b9e49eb2763 or later.

Other vulnerabilities in github.com/kata-containers/kata-containers

CVE-2026-47243CVE-2026-44210

Stop the waste.
Protect your environment with Kodem.