SB2026061836 - Input validation error in Openstack Nova

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2026-46448)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass Placement resource claims and scheduling constraints.

The vulnerability exists due to improper input validation in the Nova server create API when processing user-supplied scheduler hints. A remote user can submit crafted scheduler hints to bypass Placement resource claims and scheduling constraints.

The resulting instance has no Placement allocation, which can lead to compute node resource exhaustion and cross-tenant data persistence on NVMe devices after instance deletion.

Remediation

Install update from vendor's website.

References

• https://security.openstack.org/ossa/OSSA-2026-022.html
• https://launchpad.net/bugs/2151252