CVE-2026-33414

Name of the Vulnerable Software and Affected Versions Podman versions 4.8.0 through 5.8.1

Description A command injection issue exists in the HyperV machine backend within the file pkg/machine/hyperv/stubber.go. The VM image path is inserted into a PowerShell double-quoted string without sanitization, which allows for $() subexpression injection. Since PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who controls the VM image path via a crafted machine name or image directory can execute arbitrary PowerShell commands. This occurs with the privileges of the Podman process, which on typical Windows installations results in SYSTEM-level code execution. This issue exclusively affects Windows.

Recommendations Update to version 5.8.2.