CVE-2026-44919 Bugs CVE debrief

Who should care

OpenStack Ironic operators, especially teams that ingest or process image URLs during provisioning workflows, should review this issue. Environments that allow untrusted or user-influenced image sources deserve the most attention.

Technical summary

The advisory and linked bug report describe an infinite loop during checksum calculation in OpenStack Ironic’s image-handling path. The trigger is a file:///dev/zero URL, which can lead the checksum logic to continue without making progress. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating network reachability, low privileges, and an availability impact only. The fix is associated with commit a3f6d735ac3642ab95b49142c7305f072ae748d0.

Defensive priority

Medium. The impact is limited to availability, but the issue is low-complexity and can affect provisioning or image-processing workflows. Prioritize if Ironic handles externally influenced image URLs or if image processing is business-critical.

Recommended defensive actions

• Confirm whether your OpenStack Ironic deployment is at 35.x or earlier and whether it includes commit a3f6d73 or later.
• Review any workflows that accept or transform image URLs, especially file:// schemes, and restrict them unless explicitly required.
• Apply the upstream fix from commit a3f6d735ac3642ab95b49142c7305f072ae748d0 or upgrade to a release that includes it.
• Monitor image-handling and checksum-calculation paths for abnormal CPU use or hung provisioning tasks.
• If you must support file:// inputs, validate and constrain allowed targets so device files such as /dev/zero cannot be referenced.

Evidence notes

This debrief is based only on the supplied GitHub Advisory Database record, the NVD reference, the Launchpad bug reference, and the upstream OpenDev commit reference. The source advisory is marked unreviewed. The CVE publication timestamp used here is 2026-05-14T03:32:08Z, per the supplied record.

Official resources