YAOOK Security Advisory for CVE-2026-24708 /CVE-2026-24709

• Date: 2026-01-15
• Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-002.html
• Upstream bug report: https://bugs.launchpad.net/nova/+bug/2137507

What is CVE-2026-24708 / CVE-2026-24709 and how does it affect YAOOK?

By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.

Is my cluster vulnerable?

The following images are vulnerable:

• nova-compute images before 4.1.183

If any of these images are used in your cluster, the cluster is vulnerable.

By default, yaook don't set use_cow_images, so all yaook clusters with default settings should not be affected.

Mitigating factors

As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerised OpenStack deployments.

However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.

Upgrading

A new stable release 1.2.1 has been published today. You can upgrade to that release simply by updating your operators.

If you don't want to wait for the release, you can use a version override at the nova-operator (adjust the OpenStack version to the version you have deployed):

values:
  operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
      value: |
        registry.yaook.cloud/yaook/nova-compute-2025.1-ubuntu: registry.yaook.cloud/yaook/nova-compute-2025.1-ubuntu:4.1.183 


In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:

• NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.

1. Update all operators except the nova-compute-operator to the new release.
2. Reduce the replica count of the nova-compute-operator deployment to 0.
3. For each NovaComputeNode nova-compute statefulset, update the nova-compute image version to 4.1.183.
4. Wait for the StatefulSets to settle.
5. Update the nova-compute operator, while making sure that it is scaled back up to 1 replica.