CVE-2026-5367 - Vulnerability Details - OpenCVE

Description

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

Published: 2026-04-24

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An out-of-bounds read occurs in the OVN controller when it processes DHCPv6 SOLICIT packets with an inflated Client ID length, allowing a remote attacker to read sensitive heap memory and return the data to an attacker‑attached virtual machine port. This vulnerability is classified as CWE‑130 and is listed with a CVSS score of 8.6, indicating high severity for confidentiality exposure. The flaw can be triggered by a craft packet sent over the network to the OVN controller, with no authentication or privileged local access required, making remote disclosure possible what makes it a significant confidentiality risk.

Affected Systems

The affected products include Red Hat Fast Datapath for Red Hat Enterprise Linux 7, 8 and 9, as well as Red Hat OpenShift Container Platform 4. No specific affected version ranges are provided in the data; version information is therefore not available.

Risk and Exploitability

The EPSS score of 0.031% indicates a low but non‑zero probability of exploitation, and the vulnerability is not listed in CISA KEV. The main attack vector is through network‑based DHCPv6 traffic; an attacker can send a malformed SOLICIT packet to the OVN controller and obtain non‑authenticated memory contents. The high CVSS score reflects that the disclosed data could include credentials, keys or other sensitive information, thereby facilitating lateral movement or further compromise if the attacker achieves additional access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Fast Datapath for Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:25.03.2-100.el10fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:21.12.0-145.el8fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:23.06.4-30.el8fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:23.06.4-30.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:23.09.6-16.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:24.03.7-82.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:25.03.2-100.el9fdp`	unaffected	< *

Red Hat

Fast Datapath for Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:25.09.2-103.el9fdp`	unaffected	< *

Red Hat Fast Datapath for RHEL 10 affected —

Red Hat Fast Datapath for RHEL 8 unaffected —

Red Hat Fast Datapath for RHEL 8 unaffected —

Red Hat Fast Datapath for RHEL 8 unaffected —

Red Hat Fast Datapath for RHEL 8 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Fast Datapath for RHEL 9 affected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 affected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 affected —

Red Hat Red Hat OpenShift Container Platform 4 unaffected —

Red Hat Red Hat OpenShift Container Platform 4 affected —

No data.

No data.

Vendor Product Confidence Versions

Redhat

Fast Datapath

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Redhat

Openshift Container Platform

86%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.: ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options. We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.

OpenCVE Recommended Actions

Apply the latest OVN patch that addresses the out‑of‑bounds read in DHCPv6 handling.
If updating is not immediately possible, disable DHCPv6 for affected workloads by running `ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options` for each logical switch port.
Restrict DHCPv6 traffic to trusted sources by configuring firewall or network policies to block unsolicited SOLICIT packets.
Monitor OVN controller logs and network traffic for anomalous DHCPv6 messages that could indicate exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/20/3
http://www.openwall.com/lists/oss-security/2026/04/20/5
https://access.redhat.com/errata/RHSA-2026:11694
https://access.redhat.com/errata/RHSA-2026:11695
https://access.redhat.com/errata/RHSA-2026:11696
https://access.redhat.com/errata/RHSA-2026:11698
https://access.redhat.com/errata/RHSA-2026:11700
https://access.redhat.com/errata/RHSA-2026:11701
https://access.redhat.com/errata/RHSA-2026:11702
https://access.redhat.com/errata/RHSA-2026:22110
https://access.redhat.com/security/cve/CVE-2026-5367
https://bugzilla.redhat.com/show_bug.cgi?id=2455863
https://nvd.nist.gov/vuln/detail/CVE-2026-5367
https://www.cve.org/CVERecord?id=CVE-2026-5367

History

Mon, 01 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:22110

Wed, 29 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:11695 https://access.redhat.com/errata/RHSA-2026:11698 https://access.redhat.com/errata/RHSA-2026:11700 https://access.redhat.com/errata/RHSA-2026:11701

Wed, 29 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:11694 https://access.redhat.com/errata/RHSA-2026:11696 https://access.redhat.com/errata/RHSA-2026:11702

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10::fastdatapath

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat fast Datapath Redhat openshift Container Platform
Vendors & Products		Redhat fast Datapath Redhat openshift Container Platform

Tue, 28 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:7::fastdatapath~~

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5367 https://www.cve.org/CVERecord?id=CVE-2026-5367
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 24 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/20/3 http://www.openwall.com/lists/oss-security/2026/04/20/5

Fri, 24 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
Title		Ovn: ovn: information disclosure via crafted dhcpv6 packets
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
Weaknesses		CWE-130
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:7::fastdatapath cpe:/o:redhat:enterprise_linux:8::fastdatapath cpe:/o:redhat:enterprise_linux:9::fastdatapath
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2026-5367 https://bugzilla.redhat.com/show_bug.cgi?id=2455863
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Redhat Enterprise Linux Fast Datapath Openshift Openshift Container Platform

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-24T12:25:05.024Z

Updated: 2026-06-01T00:15:34.802Z

Reserved: 2026-04-01T18:39:05.229Z

Link: CVE-2026-5367

Vulnrichment

Updated: 2026-04-24T13:37:14.640Z

NVD

Status : Awaiting Analysis

Published: 2026-04-24T13:16:21.990

Modified: 2026-04-29T18:16:04.980

Link: CVE-2026-5367

Redhat

Severity : Important

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-5367 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses

CWE-130

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5367", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T18:39:05.229Z", "datePublished": "2026-04-24T12:25:05.024Z", "dateUpdated": "2026-06-01T00:15:34.802Z"}, "containers": {"cna": {"title": "Ovn: ovn: information disclosure via crafted dhcpv6 packets", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port."}], "affected": [{"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.03", "defaultStatus": "affected", "versions": [{"version": "0:25.03.2-100.el10fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn-2021", "defaultStatus": "affected", "versions": [{"version": "0:21.12.0-145.el8fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.06", "defaultStatus": "affected", "versions": [{"version": "0:23.06.4-30.el8fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.06", "defaultStatus": "affected", "versions": [{"version": "0:23.06.4-30.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.09", "defaultStatus": "affected", "versions": [{"version": "0:23.09.6-16.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn24.03", "defaultStatus": "affected", "versions": [{"version": "0:24.03.7-82.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.03", "defaultStatus": "affected", "versions": [{"version": "0:25.03.2-100.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.09", "defaultStatus": "affected", "versions": [{"version": "0:25.09.2-103.el9fdp", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.09", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.11", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.12", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn2.13", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn-2021", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.03", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.06", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.09", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn22.12", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.03", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.06", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn23.09", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn24.03", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn24.09", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovn25.03", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11694", "name": "RHSA-2026:11694", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11695", "name": "RHSA-2026:11695", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11696", "name": "RHSA-2026:11696", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11698", "name": "RHSA-2026:11698", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11700", "name": "RHSA-2026:11700", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11701", "name": "RHSA-2026:11701", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11702", "name": "RHSA-2026:11702", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22110", "name": "RHSA-2026:22110", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5367", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863", "name": "RHBZ#2455863", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-13T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-130: Improper Handling of Length Parameter Inconsistency", "workarounds": [{"lang": "en", "value": "The only potential mitigation is to disable the DHCPv6 feature for\nworkloads attached to OVN logical ports, e.g.:\n\novn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.\n\nWe do not recommend mitigating the vulnerability this way because it\nwill also disable legitimate DHCPv6 traffic originating from\nworkloads connected to logical switch ports."}], "timeline": [{"lang": "en", "time": "2026-04-07T08:10:53.507Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-01T00:15:34.802Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/20/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T13:37:14.640Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T16:58:51.939172Z", "id": "CVE-2026-5367", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:17:08.701Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/20/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T13:37:14.640Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T16:58:51.939172Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:58:56.750Z"}}], "cna": {"title": "Ovn: ovn: information disclosure via crafted dhcpv6 packets", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:21.12.0-145.el8fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn-2021", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:23.06.4-30.el8fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:23.06.4-30.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:23.09.6-16.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn23.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:24.03.7-82.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn24.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:25.03.2-100.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn25.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:25.09.2-103.el9fdp", "lessThan": "*", "versionType": "rpm"}], "packageName": "ovn25.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "packageName": "ovn25.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 10", "packageName": "ovn25.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn2.13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 8", "packageName": "ovn23.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn-2021", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::fastdatapath"], "vendor": "Red Hat", "product": "Fast Datapath for RHEL 9", "packageName": "ovn23.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn22.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn22.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn22.12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn23.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn23.06", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn23.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn24.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn24.09", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "ovn25.03", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-04-07T08:10:53.507Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-13T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11694", "name": "RHSA-2026:11694", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11695", "name": "RHSA-2026:11695", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11696", "name": "RHSA-2026:11696", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11698", "name": "RHSA-2026:11698", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11700", "name": "RHSA-2026:11700", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11701", "name": "RHSA-2026:11701", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11702", "name": "RHSA-2026:11702", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5367", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863", "name": "RHBZ#2455863", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "The only potential mitigation is to disable the DHCPv6 feature for\nworkloads attached to OVN logical ports, e.g.:\n\novn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.\n\nWe do not recommend mitigating the vulnerability this way because it\nwill also disable legitimate DHCPv6 traffic originating from\nworkloads connected to logical switch ports."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "Improper Handling of Length Parameter Inconsistency"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-29T12:45:22.472Z"}, "x_redhatCweChain": "CWE-130: Improper Handling of Length Parameter Inconsistency"}}, "cveMetadata": {"cveId": "CVE-2026-5367", "state": "PUBLISHED", "dateUpdated": "2026-05-29T12:45:22.472Z", "dateReserved": "2026-04-01T18:39:05.229Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-24T12:25:05.024Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port."}], "id": "CVE-2026-5367", "lastModified": "2026-04-29T18:16:04.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-24T13:16:21.990", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11694"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11695"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11696"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11698"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11700"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11701"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:11702"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-5367"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/20/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/20/5"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ovn: OVN: Information disclosure via crafted DHCPv6 packets", "id": "2455863", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-130", "details": ["A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port."], "mitigation": {"lang": "en:us", "value": "The only potential mitigation is to disable the DHCPv6 feature for\nworkloads attached to OVN logical ports, e.g.:\novn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.\nWe do not recommend mitigating the vulnerability this way because it\nwill also disable legitimate DHCPv6 traffic originating from\nworkloads connected to logical switch ports."}, "name": "CVE-2026-5367", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.11", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.12", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.13", "product_name": "Fast Datapath for RHEL 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn-2021", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.11", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.12", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn2.13", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.03", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.06", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.09", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.12", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.03", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.06", "product_name": "Fast Datapath for RHEL 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn-2021", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.06", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn22.12", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.06", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn23.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn24.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn24.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn25.03", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9::fastdatapath", "fix_state": "Affected", "package_name": "ovn25.09", "product_name": "Fast Datapath for RHEL 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn22.06", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn22.09", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn22.12", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn23.03", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn23.06", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn23.09", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn24.03", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ovn24.09", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5367\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5367"], "statement": "An Important information disclosure flaw exists in OVN (Open Virtual Network) where a remote attacker can send specially crafted DHCPv6 SOLICIT packets to the `ovn-controller`. This can lead to an out-of-bounds read, disclosing sensitive heap memory information back to the attacker's virtual machine port. This vulnerability affects OVN deployments where DHCPv6 is enabled for logical switch ports.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Fast Datapath for RHEL 9", "source": "cna", "vendor": "Red Hat"}, "product": "fast_datapath", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Container Platform 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_container_platform", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-28T14:21:48.336891+00:00", "value": {"mitigation_remediation": ["Apply the latest OVN patch that addresses the out\u2011of\u2011bounds read in DHCPv6 handling.", "If updating is not immediately possible, disable DHCPv6 for affected workloads by running `ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options` for each logical switch port.", "Restrict DHCPv6 traffic to trusted sources by configuring firewall or network policies to block unsolicited SOLICIT packets.", "Monitor OVN controller logs and network traffic for anomalous DHCPv6 messages that could indicate exploitation attempts."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected products include Red\u202fHat Fast\u202fDatapath for Red\u202fHat Enterprise Linux 7, 8 and 9, as well as Red\u202fHat OpenShift Container Platform 4. No specific affected version ranges are provided in the data; version information is therefore not available.", "description_and_impact": "An out-of-bounds read occurs in the OVN controller when it processes DHCPv6 SOLICIT packets with an inflated Client ID length, allowing a remote attacker to read sensitive heap memory and return the data to an attacker\u2011attached virtual machine port. This vulnerability is classified as CWE\u2011130 and is listed with a CVSS score of 8.6, indicating high severity for confidentiality exposure. The flaw can be triggered by a craft packet sent over the network to the OVN controller, with no authentication or privileged local access required, making remote disclosure possible what makes it a significant confidentiality risk.", "risk_and_exploitability": "The EPSS score of 0.031% indicates a low but non\u2011zero probability of exploitation, and the vulnerability is not listed in CISA KEV. The main attack vector is through network\u2011based DHCPv6 traffic; an attacker can send a malformed SOLICIT packet to the OVN controller and obtain non\u2011authenticated memory contents. The high CVSS score reflects that the disclosed data could include credentials, keys or other sensitive information, thereby facilitating lateral movement or further compromise if the attacker achieves additional access."}}}}, "created": "2026-04-28T09:17:59.538162+00:00", "updated": "2026-04-28T14:30:33.748693+00:00", "vendors": ["redhat", "redhat$PRODUCT$fast_datapath", "redhat$PRODUCT$openshift_container_platform"]}