Host-Root Escape Vulnerability Uncovered in Kata Containers

### Executive Summary A critical vulnerability (CVE-2026-47243) in Kata Containers' runtime-rs virtio-fs allows a guest-root user to craft FUSE requests (e.g., absolute symlink names) that escape the virtio-fs shared directory and create files on the host (such as in /etc/cron.d), enabling host-root code execution. The flaw arises because host virtiofsd is run as root with weakened sandboxing, and public proof-of-concept exploit code has been published and validated against QEMU and Cloud Hypervisor; immediate patching of affected deployments is advised.