CVE-2026-5265 MEDIUM

CVE-2026-5265: Ovn: ovn: heap over-read in icmp error response generation - security issue

Vendor Red Hat
Product Fast Datapath for RHEL 7
Weakness CWE-130
Published April 24, 2026
Last update June 1, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
June 1, 2026 Record updated