EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Open Virtual Network (OVN) software, specifically in versions prior to v24.03. The identified vulnerabilities are two critical heap over-read flaws, which could allow malicious actors to siphon sensitive information from the memory of virtualized environments by sending specifically crafted network packets. These vulnerabilities could lead to significant business risk and impact, including the potential exposure of sensitive data, disruption of virtualized environments, and compromise of sensitive information.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Open Virtual Network (OVN) software, specifically in versions prior to v24.03. The identified vulnerabilities are two critical heap over-read flaws, which could allow malicious actors to siphon sensitive information from the memory of virtualized environments by sending specifically crafted network packets. These vulnerabilities could lead to significant business risk and impact, including the potential exposure of sensitive data, disruption of virtualized environments, and compromise of sensitive information.[emaillocker id="1283"]
The OVN vulnerabilities are categorized under heap over-read flaws, which could result in sensitive data leaks. The business risk and impact associated with these vulnerabilities are substantial, as they could compromise the confidentiality, integrity, and availability of virtualized environments.
CVE-2026-5265 with a CVSS score of 9.8 – A VM can send a short packet with an inflated IP length field that triggers an ICMP error, causing ovn-controller to read heap memory beyond the valid packet data, resulting in the inclusion of adjacent heap information in the ICMP response and delivery directly back to the attacker. This vulnerability resides in how OVN generates ICMP error responses when handling tasks like PMTU discovery or rejected ACLs.
CVE-2026-5367 with a CVSS score of 9.8 – A workload can send a crafted DHCPv6 SOLICIT with an inflated Client ID length field, causing ovn-controller to copy heap memory beyond the valid packet data into the reply, resulting in the exposure of sensitive adjacent data. This vulnerability targets OVN's DHCPv6 client ID processing, specifically in the pinctrl thread when building DHCPv6 ADVERTISE replies.
The OVN vulnerabilities pose a significant risk to virtualized environments, with potential consequences including sensitive data exposure, disruption of virtualized environments, and compromise of sensitive information. Immediate attention is required to address these vulnerabilities and prevent potential exploitation.
RECOMMENDATION:
We recommend you to update OVN to version v24.03.8, v25.03.3, v25.09.3, or v26.03.1.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/ovn-heap-over-read-packet-leakage-advisory/