Bug 2453458 (CVE-2026-5265)

Summary: CVE-2026-5265 ovn: ovn: Heap Over-Read in ICMP Error Response Generation - security issue
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: echaudro, fleitner, ktraynor, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-04-06   

Description OSIDB Bzimport 2026-03-31 17:41:34 UTC 
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Comment 2 errata-xmlrpc 2026-04-29 12:41:30 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2026:11694 https://access.redhat.com/errata/RHSA-2026:11694
Comment 3 errata-xmlrpc 2026-04-29 12:41:36 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2026:11695 https://access.redhat.com/errata/RHSA-2026:11695
Comment 4 errata-xmlrpc 2026-04-29 12:41:45 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2026:11698 https://access.redhat.com/errata/RHSA-2026:11698
Comment 5 errata-xmlrpc 2026-04-29 12:41:55 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2026:11696 https://access.redhat.com/errata/RHSA-2026:11696
Comment 6 errata-xmlrpc 2026-04-29 12:42:50 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2026:11701 https://access.redhat.com/errata/RHSA-2026:11701
Comment 7 errata-xmlrpc 2026-04-29 12:46:24 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2026:11702 https://access.redhat.com/errata/RHSA-2026:11702
Comment 8 errata-xmlrpc 2026-04-29 12:46:45 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2026:11700 https://access.redhat.com/errata/RHSA-2026:11700