Input validation error in Openstack Nova - CVE-2026-46448
Published: June 18, 2026
Vulnerability identifier: #VU134849
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46448
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Openstack
Affected software:
Openstack Nova
Openstack Nova
Detailed vulnerability description
The vulnerability allows a remote user to bypass Placement resource claims and scheduling constraints.
The vulnerability exists due to improper input validation in the Nova server create API when processing user-supplied scheduler hints. A remote user can submit crafted scheduler hints to bypass Placement resource claims and scheduling constraints.
The resulting instance has no Placement allocation, which can lead to compute node resource exhaustion and cross-tenant data persistence on NVMe devices after instance deletion.
How to mitigate CVE-2026-46448
Install security update from vendor's website.