[OSSA-2026-022] OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints (CVE-2026-46448)

[Goutham Pacha Ravi <gouthampravi () gmail com>]

==========================================================================================================
OSSA-2026-022: Nova scheduler hint injection bypasses Placement resource 
claims and scheduling constraints
==========================================================================================================

:Date: June 16, 2026
:CVE: CVE-2026-46448


Affects
~~~~~~~
- Nova: >=18.0.0 <31.3.1, >=32.0.0 <32.2.1, >=33.0.0 <33.0.2


Description
~~~~~~~~~~~
Erichen from the Institute of Computing Technology, Chinese Academy of 
Sciences reported that Nova's server create API does not strip internal 
scheduler hints. An authenticated user can bypass Placement resource 
claims and scheduling constraint enforcement, including availability 
zone, host aggregate, and image trait restrictions. The resulting 
instance has no Placement allocation, which can lead to compute node 
resource exhaustion and cross-tenant data persistence on NVMe devices 
after instance deletion. Deployments running Nova 18.0.0 or later are 
affected.



Patches
~~~~~~~
- https://review.opendev.org/993604 (2025.1/epoxy)
- https://review.opendev.org/993603 (2025.2/flamingo)
- https://review.opendev.org/993602 (2026.1/gazpacho)
- https://review.opendev.org/993601 (2026.2/hibiscus)


Credits
~~~~~~~
- Erichen from Institute of Computing Technology, Chinese Academy of 
Sciences (CVE-2026-46448)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2151252
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46448

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature