CVE-2026-5367

Summary

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

Affected Software

VendorProductVersion RangeStatus
Red HatFast Datapath for Red Hat Enterprise Linux 100:25.03.2-100.el10fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 100:25.09.2-103.el10fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:21.12.0-145.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:23.06.4-30.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:23.06.4-30.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:23.09.6-16.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:24.03.7-82.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:25.03.2-100.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:25.09.2-103.el9fdp < *unaffected

Weaknesses

  • CWE-130: Improper Handling of Length Parameter Inconsistency

Workarounds

The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.:

ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.

We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

ovn: OVN: Information disclosure via crafted DHCPv6 packets

Additional References

References