================================================================================OSSA-2026-017: Script injection during node boot via linux command line override
================================================================================
:Date: June 03, 2026 :CVE: CVE-2026-46447 Affects ~~~~~~~- Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2
Description ~~~~~~~~~~~Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) from the Metal3.io Security Team reported a vulnerability in Ironic's kernel command line override code. A user with access to add or modify ``node.driver_info`` or ``node.instance_info`` can create a crafted value to enable iPXE script execution during the boot process.
Patches ~~~~~~~- https://review.opendev.org/c/openstack/ironic/+/991387 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/991383 (2024.1/caracal (unmaintained))
- https://review.opendev.org/c/openstack/ironic/+/991380 (2025.1/epoxy) - https://review.opendev.org/c/openstack/ironic/+/991377 (2025.2/flamingo) - https://review.opendev.org/c/openstack/ironic/+/991374 (2026.1/gazpacho)- https://review.opendev.org/c/openstack/ironic/+/991365 (2026.2/hibscus (development))
- https://review.opendev.org/c/openstack/ironic/+/991371 (Bugfix/33.0) - https://review.opendev.org/c/openstack/ironic/+/991368 (Bugfix/34.0) Credits ~~~~~~~ - Dmitry Tantsur from Red Hat - Tuomo Tanskanen from Ericsson Software Technology References ~~~~~~~~~~ - https://bugs.launchpad.net/ironic/+bug/2150624 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46447 Notes ~~~~~ - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches are provided as a courtesy. Releases 2023.2 (bobcat) and 2024.2 (dalmation) are end of life and have not had patches provided. See https://releases.openstack.org for more information on supported releases. - Ironic bugfix branch patches will be available in git for interested operators. We will not perform an additional release from these branches. - This fix removes the ability to put some valid -- but unlikely -- special characters into kernel command line overrides. There is an escape hatch for impacted clouds; setting ``CONF.conductor.disable_kernel_parameter_parsing`` to true will restrict Ironic to only blocking the most dangerous, nonsensical special characters at the cost of being less security hardened against future attacks.
OpenPGP_0x6B75D939B424C6D4.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
