CVE-2026-5367: OVN Information Disclosure Vulnerability

CVE-2026-5367 Overview

A critical out-of-bounds read vulnerability has been discovered in OVN (Open Virtual Network) that allows remote attackers to extract sensitive information from heap memory. By sending specially crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets containing an inflated Client ID length field, attackers can force the ovn-controller to read beyond the allocated packet buffer boundaries. This memory disclosure vulnerability enables attackers to exfiltrate sensitive data directly to their virtual machine port.

Critical Impact
Remote unauthenticated attackers can exploit this vulnerability to disclose sensitive heap memory contents, potentially exposing cryptographic keys, authentication tokens, or other confidential data processed by the OVN controller.

Affected Products

OVN (Open Virtual Network) - affected versions (see vendor advisories for specific version ranges)
Red Hat OpenStack Platform distributions using OVN
Red Hat Enterprise Linux deployments with OVN components

Discovery Timeline

April 20, 2026 - Public disclosure via OpenWall OSS-Security Discussion
April 24, 2026 - CVE-2026-5367 published to NVD
April 29, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5367

Vulnerability Analysis

This vulnerability stems from improper handling of length (CWE-130) in DHCPv6 packet processing within the OVN controller. When processing DHCPv6 SOLICIT messages, the ovn-controller trusts the Client ID length field specified in the packet without proper bounds validation against the actual packet size. This allows an attacker to craft packets where the declared Client ID length exceeds the actual data present, causing the controller to read memory beyond the packet buffer when processing the request.

The out-of-bounds read condition occurs during the parsing phase of DHCPv6 option fields. Since DHCPv6 uses a Type-Length-Value (TLV) encoding scheme, the controller iterates through options using the length values to determine field boundaries. By manipulating the Client ID option length to an artificially large value, the read operation continues past the legitimate packet data into adjacent heap memory.

Root Cause

The root cause is insufficient validation of the Client ID length field in DHCPv6 SOLICIT packet processing. The vulnerable code path fails to verify that the specified length does not exceed the remaining packet buffer size before performing read operations. This improper length handling (CWE-130) allows attackers to control how much memory is read beyond the packet boundaries.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with access to a virtual machine connected to an OVN-managed network can send malicious DHCPv6 SOLICIT packets to the controller. The attack flow involves:

The attacker crafts a DHCPv6 SOLICIT packet with a Client ID option containing an inflated length field
The packet is sent to the OVN controller through normal DHCPv6 request channels
The controller processes the packet and reads beyond the buffer boundaries based on the malicious length value
Leaked heap memory contents are included in the DHCPv6 response sent back to the attacker's VM port
The attacker extracts sensitive information from the response data

The vulnerability can be exploited by sending malformed DHCPv6 SOLICIT packets where the Client ID length field is set to a value larger than the actual packet data. The ovn-controller processes these packets without adequate bounds checking, reading heap memory beyond the packet buffer and potentially returning this data to the attacker. Technical details are available in the Red Hat Bugzilla Report #2455863.

Detection Methods for CVE-2026-5367

Indicators of Compromise

Unusual DHCPv6 SOLICIT packets with abnormally large Client ID length values
DHCPv6 response packets that are larger than expected, potentially containing leaked memory data
Repeated DHCPv6 traffic from the same source with varying Client ID length parameters
Memory access violations or crashes in ovn-controller processes

Detection Strategies

Monitor DHCPv6 traffic for SOLICIT packets with Client ID option lengths exceeding typical values (standard Client ID lengths rarely exceed 128 bytes)
Implement network intrusion detection rules to flag DHCPv6 packets where the declared option length exceeds the remaining packet size
Deploy packet inspection to detect mismatches between DHCPv6 option length fields and actual packet boundaries
Enable verbose logging on OVN controllers to capture anomalous DHCPv6 processing events

Monitoring Recommendations

Enable enhanced logging for ovn-controller DHCPv6 processing to capture malformed packet events
Monitor OVN controller memory usage patterns for signs of information leakage
Implement network flow analysis to detect unusual DHCPv6 request/response size ratios
Configure alerts for repeated DHCPv6 failures or retries from the same source

How to Mitigate CVE-2026-5367

Immediate Actions Required

Apply the latest security patches from Red Hat immediately by following the advisories linked below
Restrict network access to DHCPv6 services to only trusted virtual machine networks
Monitor OVN controller logs for signs of exploitation attempts
Consider temporarily disabling DHCPv6 services if not required for operations

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability across different product versions. Organizations should apply the appropriate patches based on their deployment:

Refer to Red Hat CVE-2026-5367 Information for detailed guidance.

Workarounds

Implement network-level filtering to block DHCPv6 packets with Client ID options exceeding reasonable length thresholds
Isolate OVN controller networks from untrusted virtual machine segments where possible
Deploy network segmentation to limit the scope of potential exploitation
Consider using IPv4-only configurations temporarily if DHCPv6 is not operationally required

bash

# Example: Block suspicious DHCPv6 traffic using iptables
# This filters DHCPv6 client traffic (port 546) to help mitigate exploitation attempts
iptables -A INPUT -p udp --dport 547 -m length --length 1200: -j DROP
ip6tables -A INPUT -p udp --dport 547 -m length --length 1200: -j DROP

CVE-2026-5367 Overview

Critical Impact
Remote unauthenticated attackers can exploit this vulnerability to disclose sensitive heap memory contents, potentially exposing cryptographic keys, authentication tokens, or other confidential data processed by the OVN controller.

Affected Products

OVN (Open Virtual Network) - affected versions (see vendor advisories for specific version ranges)
Red Hat OpenStack Platform distributions using OVN
Red Hat Enterprise Linux deployments with OVN components

Discovery Timeline

April 20, 2026 - Public disclosure via OpenWall OSS-Security Discussion
April 24, 2026 - CVE-2026-5367 published to NVD
April 29, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5367

Vulnerability Analysis

Root Cause

Attack Vector

The attacker crafts a DHCPv6 SOLICIT packet with a Client ID option containing an inflated length field
The packet is sent to the OVN controller through normal DHCPv6 request channels
The controller processes the packet and reads beyond the buffer boundaries based on the malicious length value
Leaked heap memory contents are included in the DHCPv6 response sent back to the attacker's VM port
The attacker extracts sensitive information from the response data

Detection Methods for CVE-2026-5367

Indicators of Compromise

Unusual DHCPv6 SOLICIT packets with abnormally large Client ID length values
DHCPv6 response packets that are larger than expected, potentially containing leaked memory data
Repeated DHCPv6 traffic from the same source with varying Client ID length parameters
Memory access violations or crashes in ovn-controller processes

Detection Strategies

Monitor DHCPv6 traffic for SOLICIT packets with Client ID option lengths exceeding typical values (standard Client ID lengths rarely exceed 128 bytes)
Implement network intrusion detection rules to flag DHCPv6 packets where the declared option length exceeds the remaining packet size
Deploy packet inspection to detect mismatches between DHCPv6 option length fields and actual packet boundaries
Enable verbose logging on OVN controllers to capture anomalous DHCPv6 processing events

Monitoring Recommendations

Enable enhanced logging for ovn-controller DHCPv6 processing to capture malformed packet events
Monitor OVN controller memory usage patterns for signs of information leakage
Implement network flow analysis to detect unusual DHCPv6 request/response size ratios
Configure alerts for repeated DHCPv6 failures or retries from the same source

How to Mitigate CVE-2026-5367

Immediate Actions Required

Apply the latest security patches from Red Hat immediately by following the advisories linked below
Restrict network access to DHCPv6 services to only trusted virtual machine networks
Monitor OVN controller logs for signs of exploitation attempts
Consider temporarily disabling DHCPv6 services if not required for operations

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability across different product versions. Organizations should apply the appropriate patches based on their deployment:

Refer to Red Hat CVE-2026-5367 Information for detailed guidance.

Workarounds

Implement network-level filtering to block DHCPv6 packets with Client ID options exceeding reasonable length thresholds
Isolate OVN controller networks from untrusted virtual machine segments where possible
Deploy network segmentation to limit the scope of potential exploitation
Consider using IPv4-only configurations temporarily if DHCPv6 is not operationally required

bash

# Example: Block suspicious DHCPv6 traffic using iptables
# This filters DHCPv6 client traffic (port 546) to help mitigate exploitation attempts
iptables -A INPUT -p udp --dport 547 -m length --length 1200: -j DROP
ip6tables -A INPUT -p udp --dport 547 -m length --length 1200: -j DROP

CVE-2026-5367: OVN Information Disclosure Vulnerability

CVE-2026-5367 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5367

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5367

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5367

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-5367: OVN Information Disclosure Vulnerability

CVE-2026-5367 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5367

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5367

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5367

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform