CVE-2026-5265 | THREATINT

Description

When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.

PUBLISHED Reserved 2026-03-31 | Published 2026-04-24 | Updated 2026-04-29 | Assigner redhat

MEDIUM: 6.5CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

Problem types

Improper Handling of Length Parameter Inconsistency

Product status

Default status

affected

0:21.12.0-145.el8fdp (rpm) before *

unaffected

Default status

affected

0:23.06.4-30.el9fdp (rpm) before *

unaffected

Default status

affected

0:25.09.2-103.el9fdp (rpm) before *

unaffected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Timeline

2026-03-24:	Reported to Red Hat.
2026-04-06:	Made public.

References

www.openwall.com/lists/oss-security/2026/04/20/2

www.openwall.com/lists/oss-security/2026/04/20/4

access.redhat.com/errata/RHSA-2026:11694 (RHSA-2026:11694) vendor-advisory

access.redhat.com/errata/RHSA-2026:11696 (RHSA-2026:11696) vendor-advisory

access.redhat.com/errata/RHSA-2026:11702 (RHSA-2026:11702) vendor-advisory

access.redhat.com/security/cve/CVE-2026-5265 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2453458 (RHBZ#2453458) issue-tracking

cve.org (CVE-2026-5265)

nvd.nist.gov (CVE-2026-5265)

Download JSON