GHSA-HC8W-H2MF-HP59

Vulnerability from github – Published: 2026-04-14 22:30 – Updated: 2026-04-15 21:06
VLAI?
Summary
PowerShell Command Injection in Podman HyperV Machine
Details

Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

Affected Code

File: pkg/machine/hyperv/stubber.go:647

resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)

Root Cause

PowerShell evaluates $() subexpressions inside double-quoted strings before executing the outer command. The fmt.Sprintf call places the user-controlled image path directly into double quotes without escaping or sanitization.

Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.

Patch

https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

Credit

We like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.

Severity ?
4.0 (Medium)
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "last_affected": "4.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:30:24Z",
    "nvd_published_at": "2026-04-14T23:16:27Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA command injection vulnerability exists in Podman\u0027s HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing `$()` subexpression injection.\n\n## Affected Code\n\n**File**: `pkg/machine/hyperv/stubber.go:647`\n\n```go\nresize := exec.Command(\"powershell\", []string{\n    \"-command\",\n    fmt.Sprintf(\"Resize-VHD \\\"%s\\\" %d\", imagePath.GetPath(), newSize.ToBytes()),\n}...)\n```\n\n\n\n## Root Cause\n\nPowerShell evaluates `$()` subexpressions inside double-quoted strings before executing the outer command. The `fmt.Sprintf` call places the user-controlled image path directly into double quotes without escaping or sanitization.\n\n## Impact\n\nAn attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.\n\n\n## Patch\n\nhttps://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed\n\nThe affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.\n\n## Credit\n\nWe like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.",
  "id": "GHSA-hc8w-h2mf-hp59",
  "modified": "2026-04-15T21:06:29Z",
  "published": "2026-04-14T22:30:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33414"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/podman"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PowerShell Command Injection in Podman HyperV Machine"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.