CVE-2026-5367: Ovn: ovn: information disclosure via crafted dhcpv6 packets
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
Security readout for executives and security teams
Plain-English summary
OVN can disclose memory from the network controller when it receives malformed DHCPv6 traffic. In affected Red Hat Fast Datapath and one OpenShift OVN stream, a remote sender may read sensitive heap data back through a virtual machine port. The issue is confidentiality-focused: no integrity or availability impact is stated.
Executive priority
Treat this as a high-priority confidentiality risk for affected virtual networking platforms. It can leak sensitive controller heap memory without authentication, but available evidence does not show active exploitation. Patch affected OVN streams through Red Hat advisories on an accelerated maintenance timeline.
Technical view
CVE-2026-5367 is a CWE-130 length-handling flaw in OVN. Crafted DHCPv6 SOLICIT packets with an inflated Client ID length can make ovn-controller read beyond packet bounds and return heap memory to the sender's VM port. CVSS 3.1 is 8.6: network, low complexity, no privileges, no user interaction, scope changed, high confidentiality impact.
Likely exposure
Exposure is most likely where affected OVN package streams run in Red Hat Fast Datapath for RHEL 8, 9, or 10, or OpenShift Container Platform 4 with ovn23.06. Environments without OVN, without affected package streams, or using source-listed unaffected streams have lower indicated exposure.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. The vulnerability is remotely reachable in the stated model and requires crafted DHCPv6 SOLICIT traffic, but the provided sources do not include public weaponization details.
Researcher notes
Key constraints are source-limited: affected Red Hat package streams are named, but fixed versions and detailed remediation text are not in the bundle. The flaw is packet length validation around DHCPv6 Client ID handling, producing an out-of-bounds read and data disclosure to the attacker-controlled VM port.
Mitigation direction
Identify Red Hat Fast Datapath and OpenShift systems running OVN.
Map installed OVN package streams against the affected list.
Apply the relevant Red Hat RHSA updates for each affected stream.
Prioritize shared virtualization and tenant-facing network environments.
If updates are unavailable, follow current Red Hat vendor guidance.
Validation and detection
Confirm installed package names and versions on Fast Datapath hosts.
Check OpenShift OVN stream; ovn23.06 is listed affected.
Verify ovn22.06, ovn22.09, ovn22.12, and ovn23.03 OpenShift streams are listed unaffected.
Review network monitoring for anomalous DHCPv6 SOLICIT activity in OVN segments.
Document whether DHCPv6 is reachable from untrusted VM or tenant ports.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-130: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-130 · source CWE mapping
Improper Handling of Length Parameter Inconsistency
Improper Handling of Length Parameter Inconsistency represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.