Description
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer. Impacted Users: users with dual-stack clusters and IPsec encryption enabled. Single-stack IPv4 or IPv6 clusters are not affected. This vulnerability is fixed in 2.4.5 and 2.5.2.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data exposure for IPv6 inter-node traffic in dual‑stack Antrea clusters
Action: Immediate Patch
AI Analysis

Impact

A flaw in Antrea caused the IPsec encryption layer to be skipped when IPv6 packets were sent between nodes in dual‑stack clusters. While IPv4 traffic was wrapped in ESP, IPv6 traffic traversed the network in plaintext. The vulnerability is a classic confidentiality loss that allows an adversary to read sensitive data flowing between pods, potentially enabling additional attacks. The weakness is recorded as CWE‑311, indicating a failure to encrypt data during transmission.

Affected Systems

The affected product is Antrea from antrea‑io. Versions prior to 2.4.5 (for branch 2.4) and prior to 2.5.2 (for branch 2.5) are vulnerable when trafficEncryptionMode is set to ipsec on a dual‑stack (IPv4/IPv6) cluster. Single‑stack IPv4 or IPv6 setups are not impacted.

Risk and Exploitability

The CVSS score of 7.1 signals a high‑severity issue that can be exploited from within the cluster or from a network that has visibility into node traffic. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, but the risk stems from the fact that the vulnerable traffic is unencrypted. Attackers would need network access to the inter‑node channels; once they can capture IPv6 packets, they obtain unencrypted data. No additional exploit conditions are required beyond the presence of a dual‑stack IPsec cluster.

Generated by OpenCVE AI on April 6, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Antrea to version 2.4.5 or newer (2.5.2+ for branch 2.5) to restore IPv6 encryption
  • Verify that trafficEncryptionMode remains set to ipsec and that dual‑stack nodes correctly use ESP for both families
  • Monitor inter‑node traffic for any plaintext IPv6 packets as a check after patching

Generated by OpenCVE AI on April 6, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qcmw-8mm4-4p28 Antrea has Missing Encryption of Sensitive Data
History

Tue, 28 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation antrea
CPEs cpe:2.3:a:linuxfoundation:antrea:*:*:*:*:*:kubernetes:*:*
Vendors & Products Linuxfoundation
Linuxfoundation antrea
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Antrea-io
Antrea-io antrea
Vendors & Products Antrea-io
Antrea-io antrea

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer. Impacted Users: users with dual-stack clusters and IPsec encryption enabled. Single-stack IPv4 or IPv6 clusters are not affected. This vulnerability is fixed in 2.4.5 and 2.5.2.
Title Missing Encryption of Sensitive Data in antrea.io/antrea
Weaknesses CWE-311
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Antrea-io Antrea
Linuxfoundation Antrea
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:10:53.588Z

Reserved: 2026-03-31T19:38:31.618Z

Link: CVE-2026-34992

cve-icon Vulnrichment

Updated: 2026-04-07T14:10:49.715Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.183

Modified: 2026-04-27T23:51:02.157

Link: CVE-2026-34992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:31:35Z

Weaknesses