Description
In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an infinite loop in OpenStack Ironic's checksum calculations during image handling. When an image is referenced with a file:///dev/zero URL, the checksum routine never terminates, consuming CPU cycles. This can lead to resource exhaustion and service disruption for the Ironic controller, potentially impacting the availability of the OpenStack deployment. The weakness is identified as CWE-696, which signifies an error in control flow leading to malfunction or denial of service.

Affected Systems

OpenStack Ironic versions prior to the commit a3f6d73 (any 35.x release) are affected. Users running 35.x branches without the patch are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity and potential availability impact. EPSS data is not available, and the vulnerability is not listed in the KEV catalog, suggesting limited known exploitation. The attack requires supply of a file URI to the image handling endpoint, so it is most likely exploitable by users who can submit or influence image metadata. In the worst case, this could lead to a denial of service for the Ironic service. The lack of public exploitation reduces immediate risk, but the availability impact remains a concern.

Generated by OpenCVE AI on May 14, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch introduced in commit a3f6d73 or update to an Ongoing Stable release where the patch is included.
  • If an immediate patch is unavailable, replace the vulnerable checksum routine with a bounded loop implementation or limit the maximum number of iterations.
  • As a temporary measure, enforce image URL policy to reject file:// schemes and allow only http:// or https:// sources.

Generated by OpenCVE AI on May 14, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4g73-w726-53h3 OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices
History

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 03:45:00 +0000

Type Values Removed Values Added
Title Infinite Loop in Checksum Calculations via /dev/zero URL in OpenStack Ironic Image Handling

Thu, 14 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
First Time appeared Openstack
Openstack ironic
Weaknesses CWE-696
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack ironic
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-21T06:16:30.581Z

Reserved: 2026-05-08T00:00:00.000Z

Link: CVE-2026-44919

cve-icon Vulnrichment

Updated: 2026-05-14T13:53:21.400Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T02:17:21.773

Modified: 2026-05-20T17:16:23.870

Link: CVE-2026-44919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T03:30:10Z

Weaknesses