CVE-2026-44919 Overview
CVE-2026-44919 affects OpenStack Ironic through version 35.x prior to commit a3f6d73. The vulnerability resides in the image handling subsystem. An infinite loop occurs in checksum calculations when an attacker supplies the file:///dev/zero URL as input. Authenticated users with API access can trigger this condition. The flaw is categorized under [CWE-696] Incorrect Behavior Order, resulting in a denial-of-service against the Ironic bare-metal provisioning service. The issue was resolved in OpenStack Ironic commit a3f6d735ac3642ab95b49142c7305f072ae748d0.
Critical Impact
An authenticated attacker can force the Ironic service into an infinite checksum calculation loop, exhausting CPU and disrupting bare-metal provisioning operations.
Affected Products
- OpenStack Ironic versions through 35.x
- OpenStack Ironic releases prior to commit a3f6d73
- Deployments processing user-supplied image URLs through Ironic
Discovery Timeline
- 2026-05-14 - CVE CVE-2026-44919 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44919
Vulnerability Analysis
OpenStack Ironic provisions bare-metal machines and downloads operating system images during deployment workflows. The service computes checksums on supplied image sources to verify integrity. When the image URL points to file:///dev/zero, the underlying Linux pseudo-device returns an unbounded stream of null bytes.
The checksum routine reads from the source until end-of-file. Since /dev/zero never returns EOF, the read loop never terminates. The worker process consumes CPU indefinitely while attempting to compute a hash over an effectively infinite input. This blocks legitimate provisioning requests and degrades service availability.
Root Cause
The root cause is missing validation on image URL schemes and pathological local-file targets. Ironic accepts file:// URLs without restricting which paths can be referenced. The checksum implementation also lacks a maximum read size or timeout. These two omissions combine to enable the infinite loop condition referenced in the Launchpad bug report.
Attack Vector
An authenticated user with permission to submit image references to the Ironic API supplies file:///dev/zero as the image source. When Ironic begins checksum verification, the conductor worker enters an unterminating read loop. Repeated submissions can exhaust available conductor workers and produce a denial-of-service across the deployment fleet. The fix is documented in the OpenStack Ironic upstream commit.
Detection Methods for CVE-2026-44919
Indicators of Compromise
- Ironic conductor processes consuming sustained 100% CPU on a single core without corresponding deployment progress.
- API requests referencing file:///dev/zero or other Linux pseudo-devices such as /dev/random in image URL fields.
- Long-running or stalled provisioning tasks that never reach the active state.
Detection Strategies
- Inspect Ironic API access logs for image references using the file:// URL scheme, particularly paths under /dev/.
- Alert on conductor worker threads whose checksum operations exceed expected duration thresholds.
- Correlate authenticated API calls against task completion rates to identify workers stuck in compute-bound loops.
Monitoring Recommendations
- Monitor CPU utilization per Ironic conductor process and trigger alerts on sustained saturation.
- Track the count of in-flight image verification tasks and flag deviations from baseline.
- Forward Ironic and Keystone authentication logs to a central SIEM for correlation with resource metrics.
How to Mitigate CVE-2026-44919
Immediate Actions Required
- Apply OpenStack Ironic commit a3f6d735ac3642ab95b49142c7305f072ae748d0 or upgrade to a release that incorporates this fix.
- Audit Ironic policy files to restrict which roles can submit arbitrary image URLs.
- Review recent API logs for prior submissions referencing file:///dev/zero or similar pseudo-device paths.
Patch Information
The upstream fix is available in the OpenStack Ironic repository at commit a3f6d73. Operators running versions through 35.x must update to a build containing this commit. Reference the OpenStack Ironic commit and the Launchpad bug report for full technical details.
Workarounds
- Disable support for the file:// URL scheme in Ironic image handling configuration until patching is complete.
- Restrict Ironic API access through Keystone role-based policies, limiting image submission to trusted operators.
- Place resource limits on Ironic conductor processes using systemd CPUQuota or cgroups to contain runaway loops.
# Example systemd override to cap conductor CPU usage
sudo systemctl edit openstack-ironic-conductor.service
# Add the following lines:
# [Service]
# CPUQuota=200%
# TimeoutStartSec=300
sudo systemctl daemon-reload
sudo systemctl restart openstack-ironic-conductor.service
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
