CVE-2013-2096: OpenStack Compute (Nova) does not verify the virtual size of a QCOW2 image

May 17, 2022 (updated April 12, 2025)

OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by creating an image with a large virtual size that does not contain a large amount of data.

References

github.com/advisories/GHSA-m674-hmx2-ffhq
github.com/openstack/nova
github.com/openstack/nova/commit/0caeb8eaf20abcdc77828f5c6b79fc104619e231
github.com/openstack/nova/commit/44a8aba1d5da87d54db48079103fdef946666d80
nvd.nist.gov/vuln/detail/CVE-2013-2096
review.openstack.org/
review.openstack.org/
review.openstack.org/
web.archive.org/web/20130726040108/http://www.securityfocus.com/bid/59924

Code Behaviors & Features

Detect and mitigate CVE-2013-2096 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →