CVE-2026-5265

EUVD-2026-25420
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Debian logo
Debian Releases
Debian Product
Codename
ovn
bookworm
vulnerable
forky
26.03.0-6
fixed
sid
26.03.0-6
fixed
trixie
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/errata/RHSA-2026:11694
https://access.redhat.com/errata/RHSA-2026:11695
https://access.redhat.com/errata/RHSA-2026:11696
https://access.redhat.com/errata/RHSA-2026:11698
https://access.redhat.com/errata/RHSA-2026:11700
https://access.redhat.com/errata/RHSA-2026:11701
https://access.redhat.com/errata/RHSA-2026:11702
https://access.redhat.com/errata/RHSA-2026:22110
https://access.redhat.com/errata/RHSA-2026:22111
https://access.redhat.com/security/cve/CVE-2026-5265
https://bugzilla.redhat.com/show_bug.cgi?id=2453458
http://www.openwall.com/lists/oss-security/2026/04/20/2
http://www.openwall.com/lists/oss-security/2026/04/20/4