Vulnerability-Lookup

WID-SEC-W-2026-1115

Vulnerability from csaf_certbund - Published: 2026-04-14 22:00 - Updated: 2026-05-10 22:00

Summary

Podman HyperV Machine: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Podman ist ein Container-Laufzeit- und Management-Tool, mit dem Benutzer Container ausführen und verwalten können, ohne einen separaten Daemon-Prozess zu benötigen. Podman is a container runtime and management tool that allows users to run and manage containers without the need for a separate daemon process.

Angriff: Ein lokaler Angreifer kann eine Schwachstelle in Podman HyperV Machine ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen.

Betroffene Betriebssysteme: - Windows

CVE-2026-33414

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Podman HyperV Machine <5.8.2 Open Source / Podman		HyperV Machine <5.8.2

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-hc8w-h2mf-hp59	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-22800	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Podman ist ein Container-Laufzeit- und Management-Tool, mit dem Benutzer Container ausf\u00fchren und verwalten k\u00f6nnen, ohne einen separaten Daemon-Prozess zu ben\u00f6tigen.\r\nPodman is a container runtime and management tool that allows users to run and manage containers without the need for a separate daemon process.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in Podman HyperV Machine ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1115 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1115.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1115 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1115"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-hc8w-h2mf-hp59 vom 2026-04-14",
        "url": "https://github.com/advisories/GHSA-hc8w-h2mf-hp59"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-04-14",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-22800"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10706-1 vom 2026-05-08",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZA2LUXFWCCR4ZPDQEOCVC5YIUXJSVHQD/"
      }
    ],
    "source_lang": "en-US",
    "title": "Podman HyperV Machine: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode mit Administratorrechten",
    "tracking": {
      "current_release_date": "2026-05-10T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-11T09:02:36.430+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1115",
      "initial_release_date": "2026-04-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "HyperV Machine \u003c5.8.2",
                "product": {
                  "name": "Open Source Podman HyperV Machine \u003c5.8.2",
                  "product_id": "T052851"
                }
              },
              {
                "category": "product_version",
                "name": "HyperV Machine 5.8.2",
                "product": {
                  "name": "Open Source Podman HyperV Machine 5.8.2",
                  "product_id": "T052851-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:podman_project:podman:hyperv_machine__5.8.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "HyperV Machine \u003e=4.8.0",
                "product": {
                  "name": "Open Source Podman HyperV Machine \u003e=4.8.0",
                  "product_id": "T052853"
                }
              },
              {
                "category": "product_version_range",
                "name": "HyperV Machine \u003e=4.8.0",
                "product": {
                  "name": "Open Source Podman HyperV Machine \u003e=4.8.0",
                  "product_id": "T052853-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "Podman"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33414",
      "product_status": {
        "known_affected": [
          "T027843",
          "T052851"
        ]
      },
      "release_date": "2026-04-14T22:00:00.000+00:00",
      "title": "CVE-2026-33414"
    }
  ]
}

CVE-2026-33414 (GCVE-0-2026-33414)

Vulnerability from cvelistv5 – Published: 2026-04-14 22:42 – Updated: 2026-04-16 13:57

Title

PowerShell Command Injection in Podman HyperV Machine

Summary

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.

Severity

4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/containers/podman/security/adv…	x_refsource_CONFIRM
https://github.com/containers/podman/commit/571c8…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
containers	podman	Affected: >= 4.8.0, < 5.8.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33414",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T13:57:01.669490Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T13:57:28.317Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "podman",
          "vendor": "containers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.8.0, \u003c 5.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T22:42:19.822Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59"
        },
        {
          "name": "https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed"
        }
      ],
      "source": {
        "advisory": "GHSA-hc8w-h2mf-hp59",
        "discovery": "UNKNOWN"
      },
      "title": "PowerShell Command Injection in Podman HyperV Machine"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33414",
    "datePublished": "2026-04-14T22:42:19.822Z",
    "dateReserved": "2026-03-19T17:02:34.171Z",
    "dateUpdated": "2026-04-16T13:57:28.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1115

CVE-2026-33414 (GCVE-0-2026-33414)

Tags

Sightings

Nomenclature