CVE-2026-5265— Ovn: ovn: heap over-read in icmp error response generation - security issue
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5265
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ovn: ovn: heap over-read in icmp error response generation - security issue
Source: NVD (National Vulnerability Database)
Vulnerability Description
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
长度参数不一致性处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
OVN 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OVN是OVN开源的一个基于虚拟网络技术的数据中心网络虚拟化平台。 OVN存在安全漏洞,该漏洞源于生成ICMP错误响应时未验证IP头声明的总长度与实际数据包缓冲区大小,可能导致虚拟机发送短数据包触发ICMP错误,造成ovn-controller读取堆内存越界数据并包含在ICMP响应中。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | 0:21.12.0-145.el8fdp ~ * | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | 0:23.06.4-30.el8fdp ~ * | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:23.06.4-30.el9fdp ~ * | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:23.09.6-16.el9fdp ~ * | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:24.03.7-82.el9fdp ~ * | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:25.03.2-100.el9fdp ~ * | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | 0:25.09.2-103.el9fdp ~ * | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 10 | - | cpe:/o:redhat:enterprise_linux:10::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 10 | - | cpe:/o:redhat:enterprise_linux:10::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 7 | - | cpe:/o:redhat:enterprise_linux:7::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 7 | - | cpe:/o:redhat:enterprise_linux:7::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 7 | - | cpe:/o:redhat:enterprise_linux:7::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 8 | - | cpe:/o:redhat:enterprise_linux:8::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath | |
| Red Hat | Fast Datapath for RHEL 9 | - | cpe:/o:redhat:enterprise_linux:9::fastdatapath |
II. Public POCs for CVE-2026-5265
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5265
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Red Hat
- CVE-2026-42011
Gnutls: gnutls: security bypass due to incorrect name constr - CVE-2026-42010
Gnutls: gnutls: authentication bypass via nul character in u - CVE-2026-6420
Keylime: keylime: security bypass due to hardcoded tpm quote - CVE-2026-34956
Openvswitch: open vswitch: denial of service via malformed f - CVE-2026-34002
Xorg: xwayland: x.org x server: information disclosure or de
Same weakness: CWE-130
- CVE-2026-5766
Potential denial-of-service vulnerability in ASGI requests v - CVE-2026-33846
Gnutls: gnutls: denial of service via heap buffer overflow i - CVE-2026-3868
Moxa EDR-8010 Series和Moxa EDR-G9010 Series 安全漏洞 - CVE-2026-5367
Ovn: ovn: information disclosure via crafted dhcpv6 packets - CVE-2026-41035
Rsync 安全漏洞
V. Comments for CVE-2026-5265
No comments yet