CVE-2026-25804
Published: 06 February 2026
Summary
CVE-2026-25804 is a critical-severity Improper Authentication (CWE-287) vulnerability in Linuxfoundation Antrea. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify System Firewall (T1562.004); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the uint16 arithmetic overflow in Antrea's network policy priority assignment by requiring timely patching to fixed versions 2.3.2 and 2.4.3.
Identifies vulnerable Antrea installations through vulnerability scanning for CVE-2026-25804, enabling remediation before exploitation.
Validates inputs such as the quantity and priority values of network policies to prevent triggering the arithmetic overflow during OpenFlow priority calculations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The uint16 overflow in Antrea's network policy priority handling directly impairs enforcement of Kubernetes NetworkPolicies (acting as cluster firewall rules via OpenFlow), mapping to disabling/modifying system firewall controls. The resulting misrouting and traffic denial also align with application exploitation for endpoint DoS impact.
NVD Description
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers…
more
of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3.
Deeper analysisAI
CVE-2026-25804 is a uint16 arithmetic overflow vulnerability in Antrea, a Kubernetes-native networking solution. The flaw affects Antrea versions prior to 2.3.2 and 2.4.3, specifically in the network policy priority assignment system. It causes incorrect OpenFlow priority calculations when processing large numbers of policies with various priority values, potentially leading to improper traffic enforcement.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating network-accessible exploitation with low complexity, no required privileges, and no user interaction. Attackers can exploit it by submitting a large volume of network policies to trigger the overflow, resulting in miscalculated priorities that disrupt policy enforcement. This enables high-impact confidentiality violations, such as unauthorized data access, and availability issues, like traffic denial or misrouting.
Antrea has patched the issue in version 2.4.3. Administrators should upgrade to this version or later to mitigate the vulnerability. Official details are provided in the Antrea security advisory at GHSA-86x4-wp9f-wrr9, the fixing pull request #7496, and commit 86c4b6010f3be536866f339b632621c23d7186fa on the project's GitHub repository.
Details
- CWE(s)