Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33414

PowerShell Command Injection in Podman HyperV Machine
Back to all
CVE

CVE-2026-33414

PowerShell Command Injection in Podman HyperV Machine

Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

Affected Code

Filepkg/machine/hyperv/stubber.go:647

resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)

Root Cause

PowerShell evaluates $() subexpressions inside double-quoted strings before executing the outer command. The fmt.Sprintf call places the user-controlled image path directly into double quotes without escaping or sanitization.

Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.

Patch

https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

Credit

We like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
4
-
4.0
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
C
H
U
7.8
-
3.1
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59, https://nvd.nist.gov/vuln/detail/CVE-2026-33414, https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed, https://github.com/containers/podman

Severity

7.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.8
EPSS Probability
0.00016%
EPSS Percentile
0.03957%
Introduced Version
4.8.0,0,v6.0.0-20251023150015-34166fc004b8,v5.0.0-rc1,v5.0.0-20240208143539-72f1617facbb,v4.0.0-20240207151851-b1ce6ef9a857,v4.8.0-rc1,v4.0.0-20230921135202-5b3801776b73
Fix Available
5.8.2,v6.0.0-20260413170149-571c842bd357,v5.8.2,v5.0.0-20260413170626-6cffe93d888f,0.44.0-r0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading