CVE-2026-5367 PUBLISHED

Ovn: ovn: information disclosure via crafted dhcpv6 packets

Assigner: redhat
Reserved: 01.04.2026 Published: 24.04.2026 Updated: 24.04.2026

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Product Status

Vendor Red Hat
Product Fast Datapath for RHEL 7
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 7
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 7
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 8
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Fast Datapath for RHEL 9
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected

Workarounds

The only potential mitigation is to disable the DHCPv6 feature for workloads attached to OVN logical ports, e.g.:

ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.

We do not recommend mitigating the vulnerability this way because it will also disable legitimate DHCPv6 traffic originating from workloads connected to logical switch ports.

References

Problem Types

  • Improper Handling of Length Parameter Inconsistency CWE