PatchSiren cyber security CVE debrief
CVE-2026-5367 Red Hat CVE debrief
A high-severity out-of-bounds read vulnerability in OVN (Open Virtual Network) allows remote attackers to leak heap memory via crafted DHCPv6 SOLICIT packets. The flaw stems from insufficient validation of the Client ID option length in DHCPv6 packet parsing within ovn-controller. By sending a SOLICIT packet with an inflated Client ID length field, an attacker can cause the controller to read beyond packet boundaries, exposing sensitive heap memory contents to the attacker's virtual machine port. The vulnerability has a network attack vector with low complexity, requires no privileges or user interaction, and can affect resources beyond the vulnerable component scope (S:C), resulting in high confidentiality impact. Multiple Red Hat security advisories have been issued addressing this flaw across affected products.
- Vendor
- Red Hat
- Product
- Fast Datapath for Red Hat Enterprise Linux 10
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-06-01
Who should care
Organizations running OVN-based virtualized networks, particularly multi-tenant cloud environments where ovn-controller processes may contain sensitive configuration data, tenant metadata, or cryptographic material in heap memory. Infrastructure operators using Red Hat OpenStack, OpenShift, or other platforms leveraging OVN for software-defined networking should prioritize patching.
Technical summary
The vulnerability exists in ovn-controller's DHCPv6 packet parsing logic. When processing a DHCPv6 SOLICIT packet, the controller reads the Client ID option length field without adequate bounds checking against the actual packet size. An attacker can craft a SOLICIT packet with a Client ID length value exceeding the remaining packet buffer, causing an out-of-bounds read from heap memory. The read contents are then returned to the attacker's VM port, achieving information disclosure. The CVSS v3.1 score of 8.6 (HIGH) reflects network accessibility, low attack complexity, no required privileges or user interaction, scope change to affected resources, and high confidentiality impact with no integrity or availability impact.
Defensive priority
HIGH
Recommended defensive actions
- Apply relevant Red Hat security advisories (RHSA-2026:11694, RHSA-2026:11695, RHSA-2026:11696, RHSA-2026:11698, RHSA-2026:11700, RHSA-2026:11701, RHSA-2026:11702, RHSA-2026:22110) as applicable to your environment
- Restrict or monitor DHCPv6 traffic to OVN-managed virtual machine ports where patching is not immediately feasible
- Review OVN deployment architecture to ensure ovn-controller instances are not exposed to untrusted tenant networks without segmentation
- Validate that virtual machine ports operate within trusted network boundaries until patches are deployed
- Monitor for anomalous DHCPv6 SOLICIT traffic patterns, particularly those with unusually large Client ID options
- Assess heap memory exposure risk in multi-tenant environments where sensitive data may reside in ovn-controller process memory
Evidence notes
CVE published 2026-04-24; modified 2026-06-01. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. CWE-130 (Improper Handling of Length Parameter Inconsistency) identified by Red Hat. Multiple RHSA errata issued. OSS-security list discussions referenced 2026-04-20.
Official resources
2026-04-24