CVE-2026-5265
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/04/2026
Last modified:
29/04/2026
Description
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://access.redhat.com/errata/RHSA-2026:11694
- https://access.redhat.com/errata/RHSA-2026:11695
- https://access.redhat.com/errata/RHSA-2026:11696
- https://access.redhat.com/errata/RHSA-2026:11698
- https://access.redhat.com/errata/RHSA-2026:11700
- https://access.redhat.com/errata/RHSA-2026:11701
- https://access.redhat.com/errata/RHSA-2026:11702
- https://access.redhat.com/security/cve/CVE-2026-5265
- https://bugzilla.redhat.com/show_bug.cgi?id=2453458
- http://www.openwall.com/lists/oss-security/2026/04/20/2
- http://www.openwall.com/lists/oss-security/2026/04/20/4