CVE-2026-47243 · Kata Containers runtime-rs guest-root to host-root escape via virtiofs

01 · The Real Story

This is a microVM panic room whose inside maintenance hatch opens straight into the host

CVE-2026-47243 is a Kata Containers runtime-rs guest-to-host escape in the standalone virtio-fs path. On affected deployments, virtiofsd is launched as host root with sandboxing and seccomp disabled, so a guest attacker with root-equivalent code execution inside the Kata guest VM can send raw FUSE messages and create host-root-owned symlinks outside the shared directory. The GitHub advisory marks runtime-rs <= 3.30.0 as affected, with the fix in 3.31.0; the verified bad configuration used rootless = false and shared_fs = "virtio-fs", and the issue was reproduced with QEMU and Cloud Hypervisor.

paragraphs

"ASSESSED AT HIGH: real host-root escape, but only after guest-root on a specific Kata runtime-rs virtio-fs setup"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get guest-root inside a Kata sandbox

The attacker first needs root-equivalent execution inside the Kata guest VM. In practice that means a prior container compromise, a malicious tenant workload, or an already-privileged workload running under Kata. This is the biggest severity brake: the bug is not a perimeter foothold, it is a post-initial-access boundary break.

Conditions required:

Workload is running under Kata Containers rather than a standard OCI runtime
Attacker can execute as root or root-equivalent inside the guest VM
The targeted node is using the affected runtime-rs path

Where this breaks in practice:

Requires a prior compromise stage or intentionally untrusted tenant code
Many enterprises do not deploy Kata broadly, and many that do are not handing guest root to arbitrary users
Kubernetes admission controls, PSP replacements, and workload policy can block the easiest path to guest root

Detection/coverage: Kubernetes audit logs, admission-control telemetry, and EDR on the host can often catch the earlier stage that granted guest-root or privileged workload execution; most vuln scanners will not model that prerequisite.

STEP 02

Land on the specific vulnerable runtime-rs virtio-fs configuration

The exploit path is tied to runtime-rs standalone virtio-fs, not Kata generically. The public advisory verified a host config with rootless = false, shared_fs = "virtio-fs", and virtio_fs_daemon pointing to host virtiofsd; the 3.31.0 fix removes the hardcoded unsafe virtiofsd arguments in runtime-rs.

Conditions required:

Kata Containers runtime-rs is deployed
Installed version is <= 3.30.0
Shared filesystem mode is virtio-fs
Rootless mode is disabled

Where this breaks in practice:

Runtime-go deployments are not this issue
Non-virtio-fs configurations fall out of scope
Rootless deployments reduce exposure to the verified exploit path

Detection/coverage: Config management, host inventory, and file-based checks can identify runtime-rs version plus configuration-qemu-runtime-rs.toml; generic network scanners will miss this entirely.

STEP 03

Use the public FUSE-level PoC against host virtiofsd

The GitHub advisory includes a concrete PoC showing how guest root can bypass the normal guest filesystem client, build a userspace virtqueue, and send raw FUSE_SYMLINK requests directly to host virtiofsd. Because virtiofsd is running as root with --sandbox none --seccomp none in the vulnerable path, an absolute host pathname can be honored outside the intended export root.

Conditions required:

Guest root can access the virtio-fs PCI device and build raw requests
Host virtiofsd is launched unsandboxed in the vulnerable runtime-rs path
A live Kata runtime process exists whose namespace can resolve the attacker payload path

Where this breaks in practice:

This is not a one-packet internet exploit; it needs intimate knowledge of Kata and virtio-fs internals
The attacker must interact with a live sandbox and resolve the right host-visible pathing
Host instrumentation may spot abnormal virtiofsd behavior or follow-on host filesystem changes

Detection/coverage: There is usually poor signature coverage in scanners and IDS for raw virtqueue abuse. Host eBPF/auditd around virtiofsd, /proc/*/root, and suspicious symlink creation is more realistic than perimeter detection.

STEP 04

Drop a privileged host-side trigger and execute as host root

The published PoC writes a symlink into /etc/cron.d so that host cron follows it and executes a guest-controlled payload as host root. That is a full isolation failure: once this lands, the attacker owns the node, not just the container or guest VM.

Conditions required:

Attacker can point the symlink at a guest-controlled payload visible through the runtime namespace
Host has a privileged consumer such as cron reading the planted path
File integrity controls do not block or immediately remediate the host-side change

Where this breaks in practice:

Specific payload staging and timing are required
FIM, audit rules, or hardened hosts may catch writes under /etc/cron.d or similar paths
The PoC path is obvious enough that tuned detections can be effective once defenders know to look

Detection/coverage: Strongest signals are host file integrity monitoring on /etc/cron.d, auditd rules for symlink creation in sensitive paths, and EDR alerts for anomalous cron-driven root execution.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV listing found, and I found no public reporting of active exploitation campaigns in the sources reviewed.
PoC availability	Public PoC is available in the GitHub advisory itself, including the `ctr run` example and the FUSE request sequence used to plant a host-side symlink.
EPSS	I found no public EPSS value surfaced yet in the reviewed sources for this newly published CVE; treat threat likelihood as driven by attacker preconditions, not by mass exploitation telemetry.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS / interpretation	GitHub's reviewed advisory now shows CVSS v4.0 8.4 / HIGH: `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P`. I am not using that as the comparison baseline because you explicitly asked for a first-field assessment, but it does align with a post-compromise, high-impact escape.
Affected versions	`runtime-rs` <= `3.30.0`. The verified bad path is standalone `virtio-fs` with `rootless = false`; GitHub says the issue was verified on QEMU and Cloud Hypervisor.
Fixed versions	`3.31.0` is the upstream fixed release. The security release notes tie CVE-2026-47243 to commit `555b773`, which removes the unsafe hardcoded `virtiofsd` arguments in `runtime-rs`.
Scanning / exposure reality	This is not meaningfully internet-fingerprintable like a web appliance CVE. `virtiofsd` is a host-local helper in the Kata stack, so Shodan/Censys-style exposure data is not a useful amplifier here; your real exposure comes from where you run Kata `runtime-rs` for untrusted workloads.
Disclosure timeline	Public disclosure hit oss-sec on 2026-05-21; GitHub's reviewed advisory was published 2026-05-27.
Reporter / source	The public disclosure was posted by Aurélien Bombo from the Kata Containers Vulnerability Management Team.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.8/10)

The deciding factor is that exploitation requires guest-root first, which makes this a post-compromise escape, not an unauthenticated internet RCE. I still keep it at HIGH because once that prerequisite is met, the bug defeats the exact isolation boundary Kata is supposed to provide and hands the attacker host-root on the node.

HIGH Exploit chain and affected configuration are well established by the GitHub advisory and fix commit

MEDIUM Real-world exposure prevalence across enterprise Kata `runtime-rs` deployments

MEDIUM Current threat activity level because there is no KEV listing or public exploitation telemetry yet

Why this verdict

Downward pressure: requires guest-root first. Attacker position is authenticated/inside the guest VM, which implies the attacker has already cleared an earlier compromise stage. That sharply narrows the reachable population versus a front-door remote bug, and modern workload policy, admission control, and earlier-stage detections should stop many chains before this CVE matters.
Downward pressure: narrow affected population. The bug needs Kata runtime-rs, not Kata broadly, and specifically the standalone virtio-fs path with rootless = false on versions <= 3.30.0. That is a much smaller slice of enterprise reality than the raw host-root impact suggests.
Upward pressure: boundary break is complete and public. Public PoC details show a reliable path from guest root to host root by abusing unsandboxed virtiofsd. Once exploited, blast radius jumps from one workload to the Kubernetes node / host, which is exactly the kind of amplifier that keeps this out of MEDIUM.

Why not higher?

It is not an unauthenticated remote exploit, not broadly internet-reachable, and not even a generic Kata flaw. The chain assumes prior control inside the guest plus a specific runtime-rs deployment model, and I found no KEV listing or active exploitation evidence to justify CRITICAL.

Why not lower?

The impact is not cosmetic or tenant-local: the published PoC reaches host-root. If you deliberately deployed Kata to contain untrusted workloads, a bug that collapses that boundary deserves more than backlog treatment even with the prerequisite friction.

05 · Compensating Control

What to do — in priority order.

Inventory all Kata runtime-rs nodes — Find every node running Kata and separate runtime-rs from runtime-go, then flag hosts on <= 3.30.0 using shared_fs = "virtio-fs" with rootless = false. For a HIGH verdict, complete this scoping and exposure labeling within 30 days.
Move untrusted workloads off affected runtime-rs pools — The exploit only matters after the attacker gets guest-root, so cut risk by keeping multi-tenant, hostile, or highly privileged workloads off affected Kata runtime-rs nodes until the vendor fix is deployed. Under the HIGH bucket, make this segregation change within 30 days where patching cannot land immediately.
Disable the vulnerable path where feasible — If your design allows it, switch away from the verified bad combination of standalone virtio-fs + rootless = false in runtime-rs, or use a non-affected runtime path while you remediate. Treat that as the main compensating control and deploy it within 30 days.
Watch host integrity choke points — Add or tune FIM/audit coverage for /etc/cron.d, suspicious symlink creation, and anomalous root activity spawned by cron or other privileged host consumers. This will not prevent exploitation, but it can compress dwell time and should be deployed within 30 days on exposed node pools.

What doesn't work

A WAF, email gateway, or perimeter NGFW does not help; this is not a front-door web exploit.
Container image scanning alone does not solve it, because the vulnerable state lives in the host runtime and configuration, not just in the image.
MFA is irrelevant to the exploit mechanics once the attacker already has guest-root.
Generic external attack-surface management is weak here because virtiofsd is not the kind of service Shodan/Censys meaningfully expose.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host that provides Kata runtime services, not from an auditor workstation. Invoke it as sudo bash check-cve-2026-47243.sh or sudo bash check-cve-2026-47243.sh /opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml; it needs root only to reliably read installed configs across standard Kata paths.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-47243.sh
# Detect likely exposure to CVE-2026-47243 on a Linux host running Kata Containers.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_CONFIG="${1:-}"
STATUS="UNKNOWN"
EXIT_CODE=2
DETAILS=()

add_detail() {
  DETAILS+=("$1")
}

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

ver_lt() {
  # returns 0 if $1 < $2
  ! ver_ge "$1" "$2"
}

trim_quotes() {
  printf '%s' "$1" | sed -E 's/^[[:space:]]*"?//; s/"?[[:space:]]*$//'
}

get_version() {
  local out v
  if command -v containerd-shim-kata-v2 >/dev/null 2>&1; then
    out="$(containerd-shim-kata-v2 --version 2>/dev/null | head -n1)"
    v="$(printf '%s' "$out" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
    if [ -n "$v" ]; then
      printf '%s' "$v"
      return 0
    fi
  fi
  if command -v kata-runtime >/dev/null 2>&1; then
    out="$(kata-runtime --version 2>/dev/null | head -n3)"
    v="$(printf '%s' "$out" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
    if [ -n "$v" ]; then
      printf '%s' "$v"
      return 0
    fi
  fi
  return 1
}

find_configs() {
  if [ -n "$TARGET_CONFIG" ]; then
    [ -f "$TARGET_CONFIG" ] && printf '%s\n' "$TARGET_CONFIG"
    return 0
  fi

  find \
    /opt/kata/share/defaults/kata-containers \
    /usr/share/defaults/kata-containers \
    /etc/kata-containers \
    /usr/share/kata-containers \
    -type f \( -name 'configuration-*-runtime-rs.toml' -o -name '*runtime-rs*.toml' \) 2>/dev/null | sort -u
}

parse_key() {
  local file="$1"
  local key="$2"
  awk -F= -v k="$key" '
    $0 ~ "^[[:space:]]*" k "[[:space:]]*=" {
      val=$2
      sub(/^[[:space:]]*/, "", val)
      sub(/[[:space:]]*#.*/, "", val)
      print val
      exit
    }
  ' "$file"
}

VERSION=""
if VERSION="$(get_version)"; then
  add_detail "detected_version=$VERSION"
else
  add_detail "detected_version=unknown"
fi

mapfile -t CONFIGS < <(find_configs)
if [ "${#CONFIGS[@]}" -eq 0 ]; then
  add_detail "runtime_rs_config=not_found"
  if [ -n "$VERSION" ] && ver_ge "$VERSION" "3.31.0"; then
    STATUS="PATCHED"
    EXIT_CODE=0
  fi
  printf '%s\n' "$STATUS"
  printf '%s\n' "$(IFS='; '; echo "${DETAILS[*]}")"
  exit "$EXIT_CODE"
fi

EXPOSED_CONFIG=0
CHECKED_ANY=0
for cfg in "${CONFIGS[@]}"; do
  CHECKED_ANY=1
  rootless_raw="$(parse_key "$cfg" 'rootless')"
  shared_fs_raw="$(parse_key "$cfg" 'shared_fs')"
  daemon_raw="$(parse_key "$cfg" 'virtio_fs_daemon')"

  rootless="$(trim_quotes "$rootless_raw")"
  shared_fs="$(trim_quotes "$shared_fs_raw")"
  daemon="$(trim_quotes "$daemon_raw")"

  [ -z "$rootless" ] && rootless="unknown"
  [ -z "$shared_fs" ] && shared_fs="unknown"
  [ -z "$daemon" ] && daemon="unknown"

  add_detail "config=$cfg rootless=$rootless shared_fs=$shared_fs virtio_fs_daemon=$daemon"

  if [ "$rootless" = "false" ] && [ "$shared_fs" = "virtio-fs" ]; then
    EXPOSED_CONFIG=1
  fi
done

if [ -n "$VERSION" ] && ver_ge "$VERSION" "3.31.0"; then
  STATUS="PATCHED"
  EXIT_CODE=0
elif [ -n "$VERSION" ] && ver_lt "$VERSION" "3.31.0" && [ "$EXPOSED_CONFIG" -eq 1 ]; then
  STATUS="VULNERABLE"
  EXIT_CODE=1
elif [ -n "$VERSION" ] && ver_lt "$VERSION" "3.31.0" && [ "$CHECKED_ANY" -eq 1 ]; then
  STATUS="UNKNOWN"
  EXIT_CODE=2
else
  STATUS="UNKNOWN"
  EXIT_CODE=2
fi

printf '%s\n' "$STATUS"
printf '%s\n' "$(IFS='; '; echo "${DETAILS[*]}")"
exit "$EXIT_CODE"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, inventory every node running Kata and split out the ones using runtime-rs <= 3.30.0 with shared_fs = "virtio-fs" and rootless = false. For this HIGH verdict, the noisgate mitigation SLA is within 30 days: move untrusted workloads off affected pools or disable the vulnerable runtime path where feasible; the noisgate remediation SLA is within 180 days to deploy Kata Containers 3.31.0 or a verified downstream backport. If you run hostile multi-tenant workloads on Kata, treat your own business risk as tighter than the generic SLA even though there is no KEV listing yet.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.