Description
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In OpenStack Nova versions prior to 33.0.2 the server create API fails to strip specific hint data from the request payload. The retained hints prevent the Placement service from recording an allocation for the new instance, leaving the instance without the corresponding placement record. This flaw does not directly expose code execution or data but can cause scheduling failures, inaccurate resource accounting, and overall service availability issues. The weakness is categorized as CWE-1173 – Unintended Resource Mismanagement and CWE-669 – Improper Cleanup of Resource References.

Affected Systems

The affected product is OpenStack Nova, specifically any deployment using Nova components before release 33.0.2. All Nova compute service instances that expose the create server API without the patch are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 places this vulnerability in the moderate severity range. The EPSS score of less than 1 percent indicates that exploitation is unlikely to be widespread. The vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated or unauthenticated network attacker who can send a crafted compute instance creation request to a vulnerable Nova endpoint. Although the flaw does not directly expose data or allow code execution, the failure to create placement allocations can degrade service availability and lead to resource misallocation.

Generated by OpenCVE AI on June 18, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nova to version 33.0.2 or later, which implements proper hint stripping and ensures placement allocations.
  • Monitor the placement service logs for missing allocation entries that may indicate affected instances.
  • Reconcile any discrepancies between Nova and Placement records to restore accurate resource accounting.

Generated by OpenCVE AI on June 18, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mfg3-p6m3-gjgr OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title OpenStack Nova Create Instance API Leaves Unstripped Hint Data, Causing Missing Placement Allocation openstack-nova: OpenStack Nova: Resource allocation issue due to unstripped hint data in server creation API
Weaknesses CWE-1173
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title OpenStack Nova Create Instance API Leaves Unstripped Hint Data, Causing Missing Placement Allocation

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
First Time appeared Openstack
Openstack nova
Weaknesses CWE-669
CPEs cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack nova
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T12:17:30.606Z

Reserved: 2026-05-14T00:00:00.000Z

Link: CVE-2026-46448

cve-icon Vulnrichment

Updated: 2026-06-16T19:16:38.300Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:41.697

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-46448

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T00:00:00Z

Links: CVE-2026-46448 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-1173

    Improper Use of Validation Framework

  • CWE-669

    Incorrect Resource Transfer Between Spheres