On Mon, Apr 20, 2026 at 11:01 AM Ales Musil <[email protected]> wrote:
> Description > =========== > > Multiple versions of OVN (Open Virtual Network) are vulnerable to > crafted DHCPv6 packets that could potentially read out-of-bounds, > leaking adjacent info stored on the heap. > > OVN supports configuring DHCPv6 options for Logical Switch Ports. > When configured we allow handling of DHCPv6 requests in a userspace > thread called pinctrl. The thread accesses user-controlled packet data > and copies some of it in the process of creating a reply packet. > > When building a DHCPv6 ADVERTISE reply, the handler echoes the > Client ID option using the option's self-declared length without > validating it against the actual packet bounds. A workload can send > a crafted DHCPv6 SOLICIT with an inflated Client ID length field, > causing ovn-controller to copy heap memory beyond the valid packet > data into the reply. The reply is then delivered back to the > attacker's VM port. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the CVE-2026-5367 identifier to this issue. > > A way to determine if any LSP has DHCPv6 options configured: > > $ ovn-nbctl --columns name,dhcpv6_options list logical_switch_port > > If the above command returns at least one dhcpv6_option, the Logical > Switch Port is configured to respond to DHCPv6 SOLICIT messages. > > Mitigation > ========== > > The only potential mitigation is to disable the DHCPv6 feature for > workloads attached to OVN logical ports, e.g.: > > ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options. > > We do not recommend mitigating the vulnerability this way because it > will also disable legitimate DHCPv6 traffic originating from > workloads connected to logical switch ports. > > Fix > === > > Patches to fix this vulnerability in OVN 24.03 and newer are > applied to the appropriate branches. > > Recommendation > ============== > > We recommend that users of OVN apply the patches, or upgrade to > a known patched version of OVN. These include: > > * v24.03.8 > * v24.09.4 > * v25.03.3 > * v25.09.3 > * v26.03.1 > > Acknowledgments > =============== > > The OVN team wishes to thank the reporter: > > Seiji Sakurai <[email protected]> > > One small correction: the 24.09 release is not happening so for 24.09 please upgrade to the next available release.
