PatchSiren cyber security CVE debrief
CVE-2026-5265 Red Hat CVE debrief
A vulnerability in OVN (Open Virtual Network) ovn-controller allows a virtual machine to trigger an out-of-bounds heap read that leaks memory into ICMP error responses. When ovn-controller generates ICMP Destination Unreachable or Packet Too Big messages, it copies a portion of the original packet into the ICMP body using the IP header's self-declared total length field without validating that length against the actual received packet buffer size. A malicious VM can send a crafted short packet with an inflated IPv4 total length (ip_tot_len) or IPv6 payload length (ip6_plen) field, then trigger an ICMP error condition such as a reject ACL hit. This causes ovn-controller to read beyond the valid packet data from heap memory and include that leaked data in the ICMP response sent back to the VM. The vulnerability was disclosed via the oss-security mailing list on April 20, 2026, and published in the CVE database on April 24, 2026. Red Hat has issued multiple security advisories addressing this flaw across affected product lines. The CVSS 3.1 vector indicates network attack vector, high attack complexity, no required privileges or user interaction, with low confidentiality impact and high availability impact.
- Vendor
- Red Hat
- Product
- Fast Datapath for Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-06-01
Who should care
Organizations running OVN-based virtualized networks, particularly those using ovn-controller for OpenStack Neutron, OpenShift SDN, or standalone OVN deployments where untrusted VMs have network connectivity
Technical summary
The vulnerability exists in OVN ovn-controller's ICMP error response generation path. When constructing ICMP Destination Unreachable (Type 3) or Packet Too Big (Type 2 for IPv6) messages, the code uses the original packet's IP header length field to determine how much data to copy into the ICMP payload. For IPv4, this is the ip_tot_len field; for IPv6, the ip6_plen field. These values are not validated against the actual size of the packet buffer held by ovn-controller. A VM can send a packet that is physically short (e.g., minimum Ethernet frame size) but with a large value in the IP length field, then trigger an action that causes ovn-controller to reject the packet and generate an ICMP error. The resulting out-of-bounds read from heap memory can leak sensitive data back to the attacker-controlled VM. The high attack complexity in the CVSS vector reflects the need to trigger specific ICMP-generating conditions and the limited control over leaked data.
Defensive priority
medium
Recommended defensive actions
- Apply Red Hat security advisories for affected OVN/OpenShift products as they become available for your distribution and version
- Validate that ovn-controller instances are updated to patched versions that properly bound-check IP header length fields against actual packet buffer sizes
- Monitor for anomalous ICMP error traffic patterns from ovn-controller that may indicate attempted exploitation
- Restrict VM network capabilities where possible to reduce attack surface for crafted packet injection
- Review ACL and security group configurations to understand paths that trigger ICMP Destination Unreachable or Packet Too Big generation
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Red Hat errata and bugzilla references confirm vendor acknowledgment and patch availability. CWE-130 (Improper Handling of Length Parameter Inconsistency) assigned by Red Hat. CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H from NVD source data. Timeline: disclosed via oss-security 2026-04-20, CVE published 2026-04-24, modified 2026-06-01.
Official resources
2026-04-24