Ovn: ovn: information disclosure via crafted dhcpv6 packets
Summary
| CVE | CVE-2026-5367 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 13:16:21 UTC |
| Updated | 2026-04-29 18:16:04 UTC |
| Description | A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port. |
Risk And Classification
Primary CVSS: v3.1 8.6 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS: 0.000600000 probability, percentile 0.183200000 (date 2026-05-05)
Problem Types: CWE-130 | CWE-130 Improper Handling of Length Parameter Inconsistency
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 8 | unaffected 0:21.12.0-145.el8fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 8 | unaffected 0:23.06.4-30.el8fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 9 | unaffected 0:23.06.4-30.el9fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 9 | unaffected 0:23.09.6-16.el9fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 9 | unaffected 0:24.03.7-82.el9fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 9 | unaffected 0:25.03.2-100.el9fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For Red Hat Enterprise Linux 9 | unaffected 0:25.09.2-103.el9fdp * rpm | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 10 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 10 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 8 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 8 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 8 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 8 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 9 | Not specified | Not specified |
| CNA | Red Hat | Fast Datapath For RHEL 9 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:11695 | [email protected] | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/04/20/3 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| access.redhat.com/errata/RHSA-2026:11702 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11694 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11698 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11700 | [email protected] | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/04/20/5 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| access.redhat.com/errata/RHSA-2026:11696 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11701 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-5367 | [email protected] | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-07T08:10:53.507Z | Reported to Red Hat. |
| CNA | 2026-04-13T00:00:00.000Z | Made public. |
Workarounds
CNA: The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.: ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options. We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.
There are currently no legacy QID mappings associated with this CVE.