CVE-2026-5367
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 | 0:25.03.2-100.el10fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 | 0:25.09.2-103.el10fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | 0:21.12.0-145.el8fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | 0:23.06.4-30.el8fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:23.06.4-30.el9fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:23.09.6-16.el9fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:24.03.7-82.el9fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:25.03.2-100.el9fdp < * | unaffected |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:25.09.2-103.el9fdp < * | unaffected |
Weaknesses
- CWE-130: Improper Handling of Length Parameter Inconsistency
Workarounds
The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.:
ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.
We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2026/04/20/3
- http://www.openwall.com/lists/oss-security/2026/04/20/5
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
ovn: OVN: Information disclosure via crafted DHCPv6 packets
Additional References
- https://access.redhat.com/security/cve/CVE-2026-5367
- https://bugzilla.redhat.com/show_bug.cgi?id=2455863
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5367.json
- https://access.redhat.com/errata/RHSA-2026:22110
- https://access.redhat.com/errata/RHSA-2026:22111
- https://access.redhat.com/errata/RHSA-2026:11694
- https://access.redhat.com/errata/RHSA-2026:11695
- https://access.redhat.com/errata/RHSA-2026:11696
- https://access.redhat.com/errata/RHSA-2026:11698
- https://access.redhat.com/errata/RHSA-2026:11700
- https://access.redhat.com/errata/RHSA-2026:11701
- https://access.redhat.com/errata/RHSA-2026:11702
References
- https://access.redhat.com/errata/RHSA-2026:11694
- https://access.redhat.com/errata/RHSA-2026:11695
- https://access.redhat.com/errata/RHSA-2026:11696
- https://access.redhat.com/errata/RHSA-2026:11698
- https://access.redhat.com/errata/RHSA-2026:11700
- https://access.redhat.com/errata/RHSA-2026:11701
- https://access.redhat.com/errata/RHSA-2026:11702
- https://access.redhat.com/errata/RHSA-2026:22110
- https://access.redhat.com/errata/RHSA-2026:22111
- https://access.redhat.com/security/cve/CVE-2026-5367
- https://bugzilla.redhat.com/show_bug.cgi?id=2455863
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.