CVE-2026-5265 Overview
CVE-2026-5265 is an Out-of-Bounds Read vulnerability in the OVN (Open Virtual Network) controller's ICMP error response handler. When generating ICMP Destination Unreachable or Packet Too Big responses, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. This allows a malicious VM to craft packets with inflated length fields that trigger heap memory disclosure when ICMP errors are generated.
Critical Impact
A VM can exfiltrate sensitive heap memory contents from the ovn-controller process by sending specially crafted packets with inflated IP length fields, potentially exposing cryptographic keys, credentials, or other sensitive data from adjacent memory regions.
Affected Products
- OVN (Open Virtual Network) Controller
- Red Hat OpenStack Platform (affected versions addressed in RHSA-2026:11694 through RHSA-2026:11702)
- Linux distributions utilizing OVN for network virtualization
Discovery Timeline
- April 20, 2026 - Vulnerability discussed on OpenWall OSS-Security mailing list
- April 24, 2026 - CVE-2026-5265 published to NVD
- April 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5265
Vulnerability Analysis
This vulnerability stems from improper length validation in the ICMP error response generation code path within ovn-controller. The root issue is classified as CWE-130 (Improper Handling of Length Parameter Inconsistency), where the software trusts attacker-controlled length values without bounds checking.
When a packet triggers an ICMP error condition (such as hitting a reject ACL rule), the ovn-controller constructs an ICMP Destination Unreachable or Packet Too Big message. Per RFC 792 and RFC 4443, these ICMP error messages include a portion of the original offending packet in the message body to help the sender identify which packet caused the error.
The vulnerable code path reads the IP header's declared length field (ip_tot_len for IPv4 or ip6_plen for IPv6) and uses this value to determine how many bytes to copy from the original packet into the ICMP response. However, this self-declared length is not validated against the actual buffer size containing the packet data.
Root Cause
The vulnerability exists because the ICMP error generation routine blindly trusts the IP header's length field without performing bounds validation. In a properly formed packet, the IP total length accurately reflects the packet size. However, an attacker can craft a short packet (e.g., 64 bytes) while setting the IP length field to a much larger value (e.g., 1500 bytes). When the ICMP handler attempts to copy data based on this inflated length, it reads beyond the valid packet buffer into adjacent heap memory.
This is a classic instance of CWE-130 where length parameter inconsistency between declared and actual sizes leads to memory disclosure. The fix requires comparing the IP header's declared length against the actual packet buffer size and using the smaller of the two values.
Attack Vector
The attack is network-accessible and requires the attacker to have control of a VM within the OVN-managed network. The exploitation sequence involves:
- The attacker crafts a network packet with a small actual payload but an artificially inflated IP length field
- The packet is sent to a destination that will trigger an ICMP error response (e.g., a port blocked by a reject ACL)
- The ovn-controller generates an ICMP error message, reading beyond the packet buffer based on the fake length
- The ICMP response containing leaked heap memory is sent back to the attacker's VM
- The attacker extracts the heap memory contents from the ICMP payload
This attack can be repeated to systematically leak heap memory from the ovn-controller process, potentially exposing sensitive information such as cryptographic materials, authentication tokens, or data from other network flows being processed.
Detection Methods for CVE-2026-5265
Indicators of Compromise
- Unusual ICMP error packets with payloads larger than expected for the triggering packet size
- Network traffic containing ICMP Destination Unreachable or Packet Too Big messages with anomalous data patterns in the payload
- VMs sending packets with mismatched actual size versus IP header declared length
- Increased ICMP error generation rates from ovn-controller processes
Detection Strategies
- Monitor for packets where the actual frame size does not match the IP header's declared total length field
- Implement network flow analysis to detect VMs repeatedly triggering ICMP error conditions with malformed packets
- Deploy deep packet inspection to identify ICMP error responses containing heap memory patterns or recognizable data structures
- Review ovn-controller logs for unusual packet processing errors or memory-related warnings
Monitoring Recommendations
- Enable packet capture on OVN gateway nodes to analyze ICMP error traffic patterns
- Configure network monitoring tools to alert on IP length field anomalies
- Implement flow-based analysis to identify VMs generating suspicious ICMP-triggering traffic
- Monitor ovn-controller process memory usage for potential correlation with exploitation attempts
How to Mitigate CVE-2026-5265
Immediate Actions Required
- Apply the security patches referenced in Red Hat Security Advisories RHSA-2026:11694 through RHSA-2026:11702
- Review ACL configurations and consider temporarily using drop rules instead of reject rules to prevent ICMP error generation
- Implement network-level filtering to block packets with obviously malformed IP length fields
- Audit VM network traffic for suspicious patterns while patches are being deployed
Patch Information
Red Hat has released security advisories addressing this vulnerability across multiple product versions. The patches add proper bounds checking to validate the IP header's declared length against the actual packet buffer size before copying data into ICMP error responses.
Consult the following advisories for patch information specific to your deployment:
- RHSA-2026:11694
- RHSA-2026:11695
- RHSA-2026:11696
- RHSA-2026:11698
- RHSA-2026:11700
- RHSA-2026:11701
- RHSA-2026:11702
Additional technical details are available in Red Hat Bug Report #2453458 and the Red Hat CVE-2026-5265 Information page.
Workarounds
- Temporarily convert reject ACL rules to drop rules to prevent ICMP error message generation until patches can be applied
- Implement egress filtering on VMs to block packets with malformed IP length fields
- Isolate untrusted VMs to separate OVN segments with limited connectivity
- Consider rate-limiting ICMP error responses at the network layer to reduce potential data exfiltration bandwidth
# Example: Convert reject ACL to drop rule (temporary workaround)
# Before (generates ICMP error - vulnerable):
# ovn-nbctl acl-add <switch> to-lport 1000 "inport == \"vm-port\" && ip4.dst == 10.0.0.1" reject
# After (silently drops packet - mitigates vulnerability):
ovn-nbctl acl-del <switch> to-lport 1000 "inport == \"vm-port\" && ip4.dst == 10.0.0.1"
ovn-nbctl acl-add <switch> to-lport 1000 "inport == \"vm-port\" && ip4.dst == 10.0.0.1" drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
