CVE-2026-5265 - Vulnerability Details - OpenCVE

Description

When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.

Published: 2026-04-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap over‑read occurs when the system generates ICMP Destination Unreachable or Packet Too Big replies; the code copies data from the source packet using the packet’s declared total length without verifying that the declared length is within the actual buffer. The result is that the generated ICMP error includes memory that lies beyond the end of the original packet. An attacker can craft a short packet with an inflated length field, which triggers the over‑read and causes the controller to transmit a malformed ICMP message that leaks arbitrary heap contents. The vulnerability does not provide code execution but could expose sensitive data such as kernel pointers or credentials.

Affected Systems

All Red Hat Fast Datapath releases for RHEL 7, RHEL 8, and RHEL 9 are affected. No specific versioning information is supplied by the vendor. The issue applies to the ovn-controller component within the Fast Datapath stack.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, and the EPSS score of less than 1% suggests that exploitation is considered unlikely in the near term. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need access to a virtual machine in the same environment that can send a custom IP packet with a fabricated length field and cause the ovn-controller to respond with an ICMP error. In a typical deployment, this requires the attacker to control traffic that reaches the controller, making the risk moderate but non‑negligible for exposed or poorly segmented networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Fast Datapath for Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:25.03.2-100.el10fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:21.12.0-145.el8fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:23.06.4-30.el8fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:23.06.4-30.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:23.09.6-16.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:24.03.7-82.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:25.03.2-100.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:25.09.2-103.el9fdp`	unaffected	< *

Red Hat Fast Datapath for RHEL 10 affected —

Red Hat Fast Datapath for RHEL 7 affected —

Red Hat Fast Datapath for RHEL 7 affected —

Red Hat Fast Datapath for RHEL 7 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

No data.

No data.

Vendor Product Confidence Versions

Redhat

Fast Datapath

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Check the Red Hat security portal for a vendor‑released patch for CVE‑2026‑5265 and apply the update as soon as it is available.
Until a patch is available, isolate the affected virtual machine or network segment and prevent it from sending large ICMP error traffic to the ovn‑controller.
Configure firewall or ACL rules to drop ICMP Destination Unreachable and Packet Too Big messages originating from untrusted hosts, thereby reducing the chance of memory leakage.

Generated by OpenCVE AI on April 28, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/20/2
http://www.openwall.com/lists/oss-security/2026/04/20/4
https://access.redhat.com/errata/RHSA-2026:11694
https://access.redhat.com/errata/RHSA-2026:11695
https://access.redhat.com/errata/RHSA-2026:11696
https://access.redhat.com/errata/RHSA-2026:11698
https://access.redhat.com/errata/RHSA-2026:11700
https://access.redhat.com/errata/RHSA-2026:11701
https://access.redhat.com/errata/RHSA-2026:11702
https://access.redhat.com/errata/RHSA-2026:22110
https://access.redhat.com/security/cve/CVE-2026-5265
https://bugzilla.redhat.com/show_bug.cgi?id=2453458
https://nvd.nist.gov/vuln/detail/CVE-2026-5265
https://www.cve.org/CVERecord?id=CVE-2026-5265

History

Mon, 01 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:22110

Wed, 29 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:11695 https://access.redhat.com/errata/RHSA-2026:11698 https://access.redhat.com/errata/RHSA-2026:11700 https://access.redhat.com/errata/RHSA-2026:11701

Wed, 29 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:11694 https://access.redhat.com/errata/RHSA-2026:11696 https://access.redhat.com/errata/RHSA-2026:11702

Wed, 29 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10::fastdatapath

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat fast Datapath
Vendors & Products		Redhat fast Datapath

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5265 https://www.cve.org/CVERecord?id=CVE-2026-5265
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 24 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/20/2 http://www.openwall.com/lists/oss-security/2026/04/20/4

Fri, 24 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Title		Ovn: ovn: heap over-read in icmp error response generation - security issue
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-130
CPEs		cpe:/o:redhat:enterprise_linux:7::fastdatapath cpe:/o:redhat:enterprise_linux:8::fastdatapath cpe:/o:redhat:enterprise_linux:9::fastdatapath
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-5265 https://bugzilla.redhat.com/show_bug.cgi?id=2453458
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H'}`

Subscriptions

Redhat Enterprise Linux Fast Datapath

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-24T12:25:06.808Z

Updated: 2026-06-01T00:15:34.720Z

Reserved: 2026-03-31T17:33:09.225Z

Link: CVE-2026-5265

Vulnrichment

Updated: 2026-04-24T13:37:06.533Z

NVD

Status : Awaiting Analysis

Published: 2026-04-24T13:16:21.770

Modified: 2026-04-29T19:16:24.470

Link: CVE-2026-5265

Redhat

Severity : Moderate

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-5265 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T09:17:58Z

Weaknesses

CWE-130

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5265", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-31T17:33:09.225Z", "datePublished": "2026-04-24T12:25:06.808Z", "dateUpdated": "2026-06-01T00:15:34.720Z"}, "containers": {"cna": {"title": "Ovn: ovn: heap over-read in icmp error response generation - security issue", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM."}], "affected": [{"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.03", "defaultStatus": "affected", "versions": [{"version": "0:25.03.2-100.el10fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn-2021", "defaultStatus": "affected", "versions": [{"version": "0:21.12.0-145.el8fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.06", "defaultStatus": "affected", "versions": [{"version": "0:23.06.4-30.el8fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.06", "defaultStatus": "affected", "versions": [{"version": "0:23.06.4-30.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.09", "defaultStatus": "affected", "versions": [{"version": "0:23.09.6-16.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn24.03", "defaultStatus": "affected", "versions": [{"version": "0:24.03.7-82.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.03", "defaultStatus": "affected", "versions": [{"version": "0:25.03.2-100.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.09", "defaultStatus": "affected", "versions": [{"version": "0:25.09.2-103.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.09", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.11", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.12", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.13", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.11", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.12", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.13", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.06", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.09", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.12", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn-2021", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.06", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.09", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.12", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn24.09", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11694", "name": "RHSA-2026:11694", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11695", "name": "RHSA-2026:11695", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11696", "name": "RHSA-2026:11696", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11698", "name": "RHSA-2026:11698", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11700", "name": "RHSA-2026:11700", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11701", "name": "RHSA-2026:11701", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11702", "name": "RHSA-2026:11702", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22110", "name": "RHSA-2026:22110", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5265", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453458", "name": "RHBZ#2453458", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-06T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-130: Improper Handling of Length Parameter Inconsistency", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-03-24T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-06T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-01T00:15:34.720Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/20/2"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T13:37:06.533Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:19:52.126823Z", "id": "CVE-2026-5265", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:21:26.388Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/20/2"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T13:37:06.533Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5265", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T18:19:52.126823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:20:20.827Z"}}], "cna": {"title": "Ovn: ovn: heap over-read in icmp error response generation - security issue", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:21.12.0-145.el8fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn-2021", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:23.06.4-30.el8fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:23.06.4-30.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:23.09.6-16.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:24.03.7-82.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn24.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:25.03.2-100.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn25.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:25.09.2-103.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn25.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "packageName": "ovn25.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "packageName": "ovn25.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "packageName": "ovn2.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "packageName": "ovn2.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 7", "packageName": "ovn2.13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn22.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn22.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn22.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn22.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn23.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn-2021", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn22.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn22.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn22.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn22.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn23.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn24.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-24T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-06T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-06T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11694", "name": "RHSA-2026:11694", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11695", "name": "RHSA-2026:11695", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11696", "name": "RHSA-2026:11696", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11698", "name": "RHSA-2026:11698", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11700", "name": "RHSA-2026:11700", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11701", "name": "RHSA-2026:11701", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11702", "name": "RHSA-2026:11702", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5265", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453458", "name": "RHBZ#2453458", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "Improper Handling of Length Parameter Inconsistency"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-29T18:27:24.243Z"}, "x_redhatCweChain": "CWE-130: Improper Handling of Length Parameter Inconsistency"}}, "cveMetadata": {"cveId": "CVE-2026-5265", "state": "PUBLISHED", "dateUpdated": "2026-04-29T18:27:24.243Z", "dateReserved": "2026-03-31T17:33:09.225Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-24T12:25:06.808Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM."}], "id": "CVE-2026-5265", "lastModified": "2026-04-29T19:16:24.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-24T13:16:21.770", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11694"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11695"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11696"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11698"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11700"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11701"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11702"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-5265"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453458"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/20/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/20/4"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ovn: ovn: Heap Over-Read in ICMP Error Response Generation - security issue", "id": "2453458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453458"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-5265", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.11", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.12", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.13", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn-2021", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.11", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.12", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn2.13", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.03", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.06", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.09", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.12", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn23.03", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.06", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn-2021", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.06", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn22.12", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Fix deferred", "package_name": "ovn23.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.06", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn24.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn24.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn25.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn25.09", "product_name": "Fast Datapath for RHEL 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5265\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5265"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Fast Datapath for RHEL 7", "source": "cna", "vendor": "Red Hat"}, "product": "fast_datapath", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-28T06:53:03.119656+00:00", "value": {"mitigation_remediation": ["Check the Red\u202fHat security portal for a vendor\u2011released patch for CVE\u20112026\u20115265 and apply the update as soon as it is available.", "Until a patch is available, isolate the affected virtual machine or network segment and prevent it from sending large ICMP error traffic to the ovn\u2011controller.", "Configure firewall or ACL rules to drop ICMP Destination Unreachable and Packet Too Big messages originating from untrusted hosts, thereby reducing the chance of memory leakage."], "summary": {"action": "Apply patch", "impact": "Information disclosure through ICMP error responses"}, "threat_synthesis": {"affected_systems": "All Red\u202fHat Fast Datapath releases for RHEL\u202f7, RHEL\u202f8, and RHEL\u202f9 are affected. No specific versioning information is supplied by the vendor. The issue applies to the ovn-controller component within the Fast Datapath stack.", "description_and_impact": "A heap over\u2011read occurs when the system generates ICMP Destination Unreachable or Packet Too Big replies; the code copies data from the source packet using the packet\u2019s declared total length without verifying that the declared length is within the actual buffer. The result is that the generated ICMP error includes memory that lies beyond the end of the original packet. An attacker can craft a short packet with an inflated length field, which triggers the over\u2011read and causes the controller to transmit a malformed ICMP message that leaks arbitrary heap contents. The vulnerability does not provide code execution but could expose sensitive data such as kernel pointers or credentials.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact, and the EPSS score of less than 1% suggests that exploitation is considered unlikely in the near term. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need access to a virtual machine in the same environment that can send a custom IP packet with a fabricated length field and cause the ovn-controller to respond with an ICMP error. In a typical deployment, this requires the attacker to control traffic that reaches the controller, making the risk moderate but non\u2011negligible for exposed or poorly segmented networks."}}}}, "created": "2026-04-28T07:00:09.511995+00:00", "updated": "2026-04-28T09:17:58.275161+00:00", "vendors": ["redhat", "redhat$PRODUCT$fast_datapath"]}