Cyber Resilience

CVE-2026-25804

High

Published: 06 February 2026

Published
06 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v4 8.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25804 is a high-severity Improper Authentication (CWE-287) vulnerability in Linuxfoundation Antrea. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify System Firewall (T1686); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-25804 is a uint16 arithmetic overflow vulnerability in Antrea, a Kubernetes-native networking solution. The flaw affects Antrea versions prior to 2.3.2 and 2.4.3, specifically in the network policy priority assignment system. It causes incorrect OpenFlow priority calculations when processing large numbers of policies with various priority values, potentially leading to improper traffic enforcement.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating network-accessible exploitation with low complexity, no required privileges, and no user interaction. Attackers can exploit it by submitting a large volume of network policies to trigger the overflow, resulting in miscalculated priorities that disrupt policy enforcement. This enables high-impact confidentiality violations, such as unauthorized data access, and availability issues, like traffic denial or misrouting.

Antrea has patched the issue in version 2.4.3. Administrators should upgrade to this version or later to mitigate the vulnerability. Official details are provided in the Antrea security advisory at GHSA-86x4-wp9f-wrr9, the fixing pull request #7496, and commit 86c4b6010f3be536866f339b632621c23d7186fa on the project's GitHub repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers…

more

of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1686 Disable or Modify System Firewall Defense Impairment
Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The uint16 overflow in Antrea's network policy priority handling directly impairs enforcement of Kubernetes NetworkPolicies (acting as cluster firewall rules via OpenFlow), mapping to disabling/modifying system firewall controls. The resulting misrouting and traffic denial also align with application exploitation for endpoint DoS impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34992Same product: Linuxfoundation Antrea
CVE-2025-68133Same vendor: Linuxfoundation
CVE-2025-68136Same vendor: Linuxfoundation
CVE-2026-27571Same vendor: Linuxfoundation
CVE-2024-24419Same vendor: Linuxfoundation
CVE-2023-37024Same vendor: Linuxfoundation
CVE-2026-37532Same vendor: Linuxfoundation
CVE-2024-24422Same vendor: Linuxfoundation
CVE-2026-33218Same vendor: Linuxfoundation
CVE-2024-24418Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
antrea
≤ 2.3.2 · 2.4.0 — 2.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the uint16 arithmetic overflow in Antrea's network policy priority assignment by requiring timely patching to fixed versions 2.3.2 and 2.4.3.

detect

Identifies vulnerable Antrea installations through vulnerability scanning for CVE-2026-25804, enabling remediation before exploitation.

prevent

Validates inputs such as the quantity and priority values of network policies to prevent triggering the arithmetic overflow during OpenFlow priority calculations.

References