OVN heap over-read flaws leak memory via DHCPv6 and ICMP responses
Red Hat disclosed two heap over-read vulnerabilities in OVN (Open Virtual Network) that can leak memory from ovn-controller back to attacker-controlled workloads. CVE-2026-5367 affects DHCPv6 Client ID processing: when the userspace pinctrl thread builds a DHCPv6 ADVERTISE reply, it echoes a Client ID option using an attacker-supplied length field without checking packet bounds. A malicious workload can send a crafted DHCPv6 SOLICIT packet with an inflated Client ID length and cause heap data beyond the valid packet buffer to be copied into the reply and returned to the VM port, particularly in deployments where DHCPv6 options are configured on Logical Switch Ports.
A second flaw, CVE-2026-5265, affects ICMP error generation in the same component. OVN copies packet data into ICMP Destination Unreachable or Packet Too Big responses based on self-declared IPv4 or IPv6 length fields without validating them against the actual buffer size, allowing a malicious VM to send truncated packets with inflated length values and receive adjacent heap memory in the ICMP reply. The issue can be triggered through reject ACLs, Gateway MTU checks, or reject-configured load balancers. Users were advised to apply patches or upgrade to fixed releases including v24.03.8, v25.03.3, v25.09.3, and v26.03.1; for CVE-2026-5367, v24.09.4 is also listed as fixed, while Red Hat noted the previously referenced 24.09 release for CVE-2026-5265 will not occur.
Timeline
Apr 20, 2026
Red Hat discloses CVE-2026-5265 OVN ICMP response heap over-read
Red Hat disclosed CVE-2026-5265, a heap over-read in OVN's ICMP error response generation caused by trusting self-declared IPv4 or IPv6 length fields without validating packet bounds. A malicious VM can trigger ICMP errors via reject ACLs, Gateway MTU checks, or reject-configured load balancers and receive leaked heap memory in the response.
Apr 20, 2026
Red Hat discloses CVE-2026-5367 OVN DHCPv6 heap over-read
Red Hat published an advisory for CVE-2026-5367, describing a heap over-read in OVN's DHCPv6 Client ID processing. A malicious workload can send a crafted DHCPv6 SOLICIT packet with an inflated Client ID length and receive leaked heap memory in the DHCPv6 reply.
Apr 20, 2026
OVN patches heap over-read flaws in supported release branches
Patches were made available for affected OVN versions, with fixed releases including v24.03.8, v24.09.4, v25.03.3, v25.09.3, and v26.03.1 for CVE-2026-5367, and v24.03.8, v25.03.3, v25.09.3, and v26.03.1 for CVE-2026-5265. Red Hat advised users to upgrade rather than rely on mitigations that could disrupt traffic.
Apr 20, 2026
MITRE assigns CVE-2026-5367 to OVN DHCPv6 Client ID flaw
MITRE assigned CVE-2026-5367 to the OVN heap over-read vulnerability affecting DHCPv6 ADVERTISE reply generation in ovn-controller. The issue impacts deployments using DHCPv6 options on Logical Switch Ports.
Apr 20, 2026
Seiji Sakurai reports OVN DHCPv6 Client ID heap over-read bug
The OVN team credited Seiji Sakurai with reporting a heap over-read flaw in DHCPv6 Client ID processing that was later assigned CVE-2026-5367. The bug allows attacker-controlled length fields in crafted DHCPv6 SOLICIT packets to cause memory beyond valid packet data to be copied into replies.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Two Buffer Overflows in OVMS3 Expose Vehicle Monitoring Systems to DoS and RCE
Two high-severity vulnerabilities have been disclosed in Open Vehicle Monitoring System 3 (**OVMS3**) version `3.3.005`, both stemming from improper input validation that can lead to buffer overflows. `CVE-2026-42469` affects `canformat_canswitch.cpp`, where the software fails to properly validate a CANswitch DLC value; a remote attacker can send crafted CANswitch frames to trigger a denial of service and potentially achieve arbitrary code execution. The flaw is tracked as **CWE-121** and carries a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H`, indicating network-reachable exploitation with no privileges or user interaction required and a high impact on availability. A second flaw, `CVE-2026-42468`, affects `canformat_pcap.cpp`, where OVMS3 does not correctly validate the `phdr.len` field while parsing PCAP input. An attacker can use crafted PCAP data to cause a denial of service and potentially execute arbitrary code; the updated CVSS v3.1 scoring indicates user interaction is required and that confidentiality, integrity, and availability may all be affected. The CVE records were updated to refine severity details, add **CWE-121** classification, and, for `CVE-2026-42469`, include a public GitHub Gist reference.
Yesterday
Publicly Exploitable Buffer Overflow Flaws Disclosed in UTT HiPER Gateway Routers
Two high-severity vulnerabilities have been disclosed in UTT HiPER gateway routers, affecting the **HiPER 1250GW** and **HiPER 1200GW** product lines. The flaws, tracked as `CVE-2026-5566` and `CVE-2026-6186`, are buffer overflows in the `strcpy` handling of the `/goform/formNatStaticMap` component. In both cases, an attacker can manipulate the `NatBind` argument to trigger the overflow on vulnerable firmware versions, including HiPER 1250GW up to `3.2.7-210907-180535` and HiPER 1200GW up to `2.5.3-170306`. The vulnerabilities are described as **remotely exploitable** with **low attack complexity**, and public exploit disclosure has already been noted for both issues, raising the risk of real-world abuse. The CVE records map the flaws to `CWE-119` and `CWE-120`, indicating classic memory-safety failures with potential impact on confidentiality, integrity, and availability. Organizations using affected UTT devices should urgently identify exposed systems, review vendor advisories and referenced technical details, and prioritize remediation or compensating controls for internet-accessible management interfaces.
2 weeks ago
January 2026 Patch Cycle Highlights Multiple High-Severity Vulnerabilities Across OpenStack, Microsoft Windows, and Progress Appliances
Multiple vendors issued fixes for **high-impact vulnerabilities** that could enable privilege escalation, tenant-wide compromise, security feature bypass, or remote code execution. OpenStack patched **CVE-2026-22797** in *keystonemiddleware* affecting deployments using `external_oauth2_token`, where failure to sanitize incoming identity headers allows authenticated users to forge headers (e.g., `X-Is-Admin-Project`, `X-Roles`, `X-User-Id`) to **escalate privileges or impersonate other users**; fixes were released across supported branches and the issue was reported by a Red Hat researcher. Microsoft patched **CVE-2026-20965** in *Windows Admin Center*’s Azure SSO (fixed in Azure Extension **v0.70.00**), where improper token validation could let an attacker with local admin on a WAC-enabled Azure VM/Arc machine combine a stolen `WAC.CheckAccess` token with a forged PoP token to enable **lateral movement and tenant-wide access** under certain conditions. Separately, Microsoft addressed **CVE-2026-20824** in *Windows Remote Assistance*, an **Important** security feature bypass that can allow attackers to evade **Mark of the Web (MOTW)** protections via social engineering. Progress Software also released patches for **CVE-2025-13444** and **CVE-2025-13447** (CVSS 8.4) affecting *LoadMaster* and *MOVEit WAF*, where crafted UI/API requests can trigger **command injection leading to remote code execution**; the vendor stated it had no evidence of in-the-wild exploitation at the time of release.
1 months ago