GHSA-hc8w-h2mf-hp59

Suggest an improvement
Source
https://github.com/advisories/GHSA-hc8w-h2mf-hp59
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hc8w-h2mf-hp59/GHSA-hc8w-h2mf-hp59.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hc8w-h2mf-hp59
Aliases
Downstream
Related
Published
2026-04-14T22:30:24Z
Modified
2026-04-17T00:30:09.971624395Z
Severity
  • 4.0 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
PowerShell Command Injection in Podman HyperV Machine
Details

Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

Affected Code

File: pkg/machine/hyperv/stubber.go:647

resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)

Root Cause

PowerShell evaluates $() subexpressions inside double-quoted strings before executing the outer command. The fmt.Sprintf call places the user-controlled image path directly into double quotes without escaping or sanitization.

Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.

Patch

https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

Credit

We like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.

Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": "2026-04-14T23:16:27Z",
    "github_reviewed_at": "2026-04-14T22:30:24Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/containers/podman/v4

Package

Name
github.com/containers/podman/v4
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/podman/v4

Affected ranges

Type
SEMVER
Events
Introduced
4.8.0
Last affected
4.9.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hc8w-h2mf-hp59/GHSA-hc8w-h2mf-hp59.json"

Go / github.com/containers/podman/v5

Package

Name
github.com/containers/podman/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/podman/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.2

Database specific

last_known_affected_version_range 
"<= 5.8.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hc8w-h2mf-hp59/GHSA-hc8w-h2mf-hp59.json"