Description
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3.
Published: 2026-02-06
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Incorrect network policy enforcement
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an integer overflow in Antrea's network policy priority assignment, which can cause priority calculations to wrap around and produce incorrect OpenFlow priorities. This miscalculation may lead to traffic being allowed or denied contrary to the defined policies, potentially compromising confidentiality, integrity, or availability for services within a Kubernetes cluster. The weakness maps to CWE‑287 (Broken Authentication/Authorization) and CWE‑770 (Out‑of‑Bounds Errors).

Affected Systems

Antrea, the Kubernetes native networking solution from the Linux Foundation, is affected when running versions older than 2.3.2 or 2.4.3. Prior to these releases the priority assignment system was vulnerable to a uint16 overflow, which was addressed in release 2.4.3 of Antrea. The vulnerability impacts all clusters that rely on Antrea for policy enforcement.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.0, indicating high severity, but the EPSS score is below 1%, suggesting current exploitation probability is low and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires the ability to create or modify many network policies within the cluster or to manipulate priority values so that the 16‑bit counter overflows. Such manipulation could be performed by an insider or a compromised controller, resulting in incorrect traffic enforcement.

Generated by OpenCVE AI on April 17, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Antrea to version 2.4.3 or later to apply the fix
  • Review existing network policies to ensure priority values remain within the uint16 range and avoid creating an excessive number of policies
  • Restrict policy creation to administrators and audit policy changes regularly to detect potential overflow conditions

Generated by OpenCVE AI on April 17, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-86x4-wp9f-wrr9 Antrea has invalid enforcement order for network policy rules caused by integer overflow
History

Sat, 28 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation antrea
CPEs cpe:2.3:a:linuxfoundation:antrea:*:*:*:*:*:kubernetes:*:*
Vendors & Products Linuxfoundation
Linuxfoundation antrea
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Antrea-io
Antrea-io antrea
Vendors & Products Antrea-io
Antrea-io antrea

Fri, 06 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3.
Title Antrea has invalid enforcement order for network policy rules caused by integer overflow
Weaknesses CWE-287
CWE-770
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Antrea-io Antrea
Linuxfoundation Antrea
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:25:44.301Z

Reserved: 2026-02-05T19:58:01.641Z

Link: CVE-2026-25804

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:47.143Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T23:15:55.123

Modified: 2026-02-28T00:30:06.540

Link: CVE-2026-25804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses