Re: [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing

[Ales Musil <amusil () redhat com>]

On Mon, Apr 20, 2026 at 11:01 AM Ales Musil <amusil () redhat com> wrote:

> Description
> ===========
>
> Multiple versions of OVN (Open Virtual Network) are vulnerable to
> crafted DHCPv6 packets that could potentially read out-of-bounds,
> leaking adjacent info stored on the heap.
>
> OVN supports configuring DHCPv6 options for Logical Switch Ports.
> When configured we allow handling of DHCPv6 requests in a userspace
> thread called pinctrl. The thread accesses user-controlled packet data
> and copies some of it in the process of creating a reply packet.
>
> When building a DHCPv6 ADVERTISE reply, the handler echoes the
> Client ID option using the option's self-declared length without
> validating it against the actual packet bounds. A workload can send
> a crafted DHCPv6 SOLICIT with an inflated Client ID length field,
> causing ovn-controller to copy heap memory beyond the valid packet
> data into the reply. The reply is then delivered back to the
> attacker's VM port.
>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the CVE-2026-5367 identifier to this issue.
>
> A way to determine if any LSP has DHCPv6 options configured:
>
>   $ ovn-nbctl --columns name,dhcpv6_options list logical_switch_port
>
> If the above command returns at least one dhcpv6_option, the Logical
> Switch Port is configured to respond to DHCPv6 SOLICIT messages.
>
> Mitigation
> ==========
>
> The only potential mitigation is to disable the DHCPv6 feature for
> workloads attached to OVN logical ports, e.g.:
>
> ovn-nbctl clear logical_switch_port <workload-port> dhcpv6_options.
>
> We do not recommend mitigating the vulnerability this way because it
> will also disable legitimate DHCPv6 traffic originating from
> workloads connected to logical switch ports.
>
> Fix
> ===
>
> Patches to fix this vulnerability in OVN 24.03 and newer are
> applied to the appropriate branches.
>
> Recommendation
> ==============
>
> We recommend that users of OVN apply the patches, or upgrade to
> a known patched version of OVN.  These include:
>
>  * v24.03.8
>  * v24.09.4
>  * v25.03.3
>  * v25.09.3
>  * v26.03.1
>
> Acknowledgments
> ===============
>
> The OVN team wishes to thank the reporter:
>
>   Seiji Sakurai <Seiji.Sakurai () outlook com>
One small correction: the 24.09 release is not happening so for 24.09
please upgrade to the next available release.