CVE-2026-5367
Published: 24 April 2026
Summary
CVE-2026-5367 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of DHCPv6 SOLICIT packet inputs, including Client ID lengths, to prevent out-of-bounds reads in ovn-controller.
Requires timely remediation of the specific flaw in ovn-controller via patches provided in Red Hat advisories, eliminating the vulnerability.
Ensures error handling during malformed packet processing does not disclose sensitive heap memory contents in responses to attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of the ovn-controller network service via crafted DHCPv6 packets, directly mapping to exploitation of a network-accessible application for information disclosure.
NVD Description
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of…
more
a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
Deeper analysisAI
CVE-2026-5367 is a vulnerability in OVN (Open Virtual Network), specifically affecting the ovn-controller component. The flaw stems from improper handling of DHCPv6 SOLICIT packets with an inflated Client ID length (CWE-130), causing ovn-controller to perform an out-of-bounds read beyond the packet boundaries. This exposes sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port. The issue was published on 2026-04-24 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
A remote attacker can exploit this vulnerability without authentication or privileges by sending crafted DHCPv6 SOLICIT packets to the ovn-controller. No user interaction is required, and the attack has low complexity due to its network accessibility. Exploitation results in high-impact confidentiality loss, as sensitive heap memory contents are disclosed directly to the attacker's virtual machine port, with changed scope due to the cross-VM information flow.
Red Hat advisories detail mitigations through updated packages in errata RHSA-2026:11694, RHSA-2026:11695, RHSA-2026:11696, RHSA-2026:11698, and RHSA-2026:11700, which security practitioners should apply to vulnerable OVN deployments.
Details
- CWE(s)