From: zigo@debian.org   
      
   Source: nova   
   Version: 2:31.0.0-6+deb13u1   
   Severity: grave   
      
   copying pre-OSSA:   
      
   This is an advance warning of a vulnerability discovered in   
   OpenStack, to give you, as downstream stakeholders, a chance to   
   coordinate the release of fixes and reduce the vulnerability window.   
   Please treat the following information as confidential until the   
   proposed public disclosure date.   
      
   Dan Smith from Red Hat reported a vulnerability in nova. By   
   writing a malicious QCOW header to a root or ephemeral disk   
   and then triggering a resize, a user may convince Nova's flat   
   image backend to call qemu-img without a format restriction   
   resulting in an unsafe image resize operation that could   
   destroy data on the host system.   
      
   Only compute nodes using the Flat image backend (usually   
   configured with use_cow_images=False) are affected.   
      
   Proposed patch:   
   See attached patches. Unless a flaw is discovered in them, these   
   patches will be merged to their corresponding branches on the public   
   disclosure date.   
      
   CVE: CVE-2026-24708   
      
   Proposed public disclosure date/time:   
   2026-02-17 1500UTC   
      
   Please do not make the issue public (or release public patches)   
   before this coordinated embargo date.   
      
   Original private report:   
   https://launchpad.net/bugs/2137507   
      
   For access to read and comment on this report, please reply to me   
   with your Launchpad username and I will subscribe you.   
      
   --   
   Jay Faulkner   
   OpenStack Vulnerability Management Team   
   https://security.openstack.org/vmt.html   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)