Impact
In OpenStack Nova versions prior to 33.0.2 the server create API fails to strip specific hint data from the request payload. The retained hints prevent the Placement service from recording an allocation for the new instance, leaving the instance without the corresponding placement record. This flaw does not directly expose code execution or data but can cause scheduling failures, inaccurate resource accounting, and overall service availability issues. The weakness is categorized as CWE-1173 – Unintended Resource Mismanagement and CWE-669 – Improper Cleanup of Resource References.
Affected Systems
The affected product is OpenStack Nova, specifically any deployment using Nova components before release 33.0.2. All Nova compute service instances that expose the create server API without the patch are vulnerable.
Risk and Exploitability
The CVSS score of 5.4 places this vulnerability in the moderate severity range. The EPSS score of less than 1 percent indicates that exploitation is unlikely to be widespread. The vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated or unauthenticated network attacker who can send a crafted compute instance creation request to a vulnerable Nova endpoint. Although the flaw does not directly expose data or allow code execution, the failure to create placement allocations can degrade service availability and lead to resource misallocation.
OpenCVE Enrichment
Github GHSA