SB2026042976 - Fast Datapath for Red Hat Enterprise Linux 9 update for ovn24.03
Published: April 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-5265)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the pinctrl ICMP error response handler when generating ICMP Destination Unreachable or Packet Too Big responses from crafted IP packets with inflated length fields. A remote attacker can send a specially crafted packet to disclose sensitive information.
Exploitation requires triggering an ICMP error path, such as reject ACL handling, gateway MTU checks, or a load balancer configured to reject traffic when no backends are available.
2) Out-of-bounds read (CVE-ID: CVE-2026-5367)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the DHCPv6 Client ID option handling in the pinctrl thread when processing crafted DHCPv6 SOLICIT packets. A remote attacker can send a specially crafted DHCPv6 packet with an inflated Client ID length field to disclose sensitive information.
The copied heap memory is included in the DHCPv6 ADVERTISE reply and delivered back to the attacker's VM port. Only logical switch ports configured with DHCPv6 options are exposed.
Remediation
Install update from vendor's website.