Ovn: ovn: information disclosure via crafted dhcpv6 packets
Summary
| CVE | CVE-2026-5367 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 13:16:21 UTC |
| Updated | 2026-06-30 03:21:06 UTC |
| Description | A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port. |
Risk And Classification
Primary CVSS: v3.1 8.6 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS: 0.008680000 probability, percentile 0.543190000 (date 2026-07-03)
Problem Types: CWE-130 | CWE-130 Improper Handling of Length Parameter Inconsistency
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.openwall.com/lists/oss-security/2026/04/20/3 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| access.redhat.com/errata/RHSA-2026:11698 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11702 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11700 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/04/20/5 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5367.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22111 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11695 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11701 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-5367 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11694 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22110 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11696 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-07T08:10:53.507Z | Reported to Red Hat. |
| CNA | 2026-04-13T00:00:00.000Z | Made public. |
| ADP | 2026-04-07T08:10:53.507Z | Reported to Red Hat. |
| ADP | 2026-04-13T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:22110: Fast Datapath for Red Hat Enterprise Linux 10
ADP: RHSA-2026:22111: Fast Datapath for Red Hat Enterprise Linux 10
ADP: RHSA-2026:11694: Fast Datapath for Red Hat Enterprise Linux 8
ADP: RHSA-2026:11695: Fast Datapath for Red Hat Enterprise Linux 8
ADP: RHSA-2026:11696: Fast Datapath for Red Hat Enterprise Linux 9
ADP: RHSA-2026:11698: Fast Datapath for Red Hat Enterprise Linux 9
ADP: RHSA-2026:11700: Fast Datapath for Red Hat Enterprise Linux 9
ADP: RHSA-2026:11701: Fast Datapath for Red Hat Enterprise Linux 9
ADP: RHSA-2026:11702: Fast Datapath for Red Hat Enterprise Linux 9
Workarounds
CNA: The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.: ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options. We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.
ADP: The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.: ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options. We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.