CVE-2026-44210: Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations

Kata Containers ships with a default configuration that allows pod creators to inject arbitrary command-line arguments into the virtiofsd process through the io.katacontainers.config.hypervisor.virtio_fs_extra_args pod annotation. By injecting -o source=/ along with --no-announce-submounts and --sandbox=none, an attacker can override the virtiofsd shared directory to serve the entire host root filesystem into the guest VM. Combined with the kernel_params annotation (also enabled by default) to activate the agent debug console, the attacker can mount the host filesystem from inside the VM and read or write any file on the host, including /etc/shadow.