On Mon, Apr 20, 2026 at 11:01 AM Ales Musil <[email protected]> wrote:
> Description > =========== > > Multiple versions of OVN (Open Virtual Network) are vulnerable to > crafted IP packets that could potentially read out-of-bounds, > leaking adjacent info stored on the heap. > > OVN supports sending ICMP error messages in multiple scenarios, e.g. > reject ACLs, PMTU discovery via Gateway MTU, Load Balancer without > any backends that are configured to reject a packet. The ICMP error > is generated in the userspace thread called pinctrl. The thread accesses > user-controlled packet data and copies some of it in the process of > creating a reply packet. > > When generating an ICMP Destination Unreachable or Packet Too > Big response, the handler copies a portion of the original packet into > the ICMP error body using the IP header's self-declared total length > (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against > the actual packet buffer size. A VM can send a short packet with an > inflated IP length field that triggers an ICMP error (e.g., by hitting a > reject ACL), causing ovn-controller to read heap memory beyond the valid > packet data and include it in the ICMP response sent back to the workload. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the CVE-2026-5265 identifier to this issue. > A way to determine if any reject ACL is configured: > > $ ovn-nbctl --columns match,action find acl action=reject > > If the command above returns at least one ACL, the Logical Switch > configured with that ACL rejects packets matching the condition. > > A way to determine if a Gateway MTU is configured: > > $ ovn-nbctl --columns name,options list logical_router_port > > If the output from the command above returns at least one Logical > Router Port with gateway_mtu in the options column, that port is > configured to perform the MTU check. > > A way to determine if a Load Balancer has a reject action: > $ ovn-nbctl --columns name,options list load_balancer > > If the output from the command above returns at least one Load > Balancer with gateway_mtu in the options column, that Load Balancer > is configured to reject the traffic if it lacks any backends. > > Mitigation > ========== > > The only potential mitigation is to remove or disable all affected ACLs, > Load Balancers or Gateway MTU settings on Logical Router Ports. > > We do not recommend mitigating the vulnerability this way because it > will also affect legitimate traffic going through the cluster. > > Fix > === > > Patches to fix this vulnerability in OVN 24.03 and newer are > applied to the appropriate branches. > > Recommendation > ============== > > We recommend that users of OVN apply tthe patches, or upgrade to > a known patched version of OVN. These include: > > * v24.03.8 > * v24.09.4 > * v25.03.3 > * v25.09.3 > * v26.03.1 > > Acknowledgments > =============== > > The OVN team wishes to thank the reporter: > > Seiji Sakurai <[email protected]> > > One small correction: the 24.09 release is not happening so for 24.09 please upgrade to the next available release.
