SB2026042077 - Two vulnerabilities in Open Virtual Network

Description

This security bulletin contains information about 2 vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2026-5265)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the pinctrl ICMP error response handler when generating ICMP Destination Unreachable or Packet Too Big responses from crafted IP packets with inflated length fields. A remote attacker can send a specially crafted packet to disclose sensitive information.

Exploitation requires triggering an ICMP error path, such as reject ACL handling, gateway MTU checks, or a load balancer configured to reject traffic when no backends are available.

2) Out-of-bounds read (CVE-ID: CVE-2026-5367)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the DHCPv6 Client ID option handling in the pinctrl thread when processing crafted DHCPv6 SOLICIT packets. A remote attacker can send a specially crafted DHCPv6 packet with an inflated Client ID length field to disclose sensitive information.

The copied heap memory is included in the DHCPv6 ADVERTISE reply and delivered back to the attacker's VM port. Only logical switch ports configured with DHCPv6 options are exposed.

Remediation

Install update from vendor's website.

References

• https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000397.html
• http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20260420/6b443c65/attachment.htm
• https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000394.html
• https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000398.html
• http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20260420/5b099d65/attachment.htm
• https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000395.html