CVE-2026-5367
Published: 24 April 2026
Summary
CVE-2026-5367 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5367 is a vulnerability in OVN (Open Virtual Network), specifically affecting the ovn-controller component. The flaw stems from improper handling of DHCPv6 SOLICIT packets with an inflated Client ID length (CWE-130), causing ovn-controller to perform an out-of-bounds read beyond the packet boundaries. This exposes sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port. The issue was published on 2026-04-24 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
A remote attacker can exploit this vulnerability without authentication or privileges by sending crafted DHCPv6 SOLICIT packets to the ovn-controller. No user interaction is required, and the attack has low complexity due to its network accessibility. Exploitation results in high-impact confidentiality loss, as sensitive heap memory contents are disclosed directly to the attacker's virtual machine port, with changed scope due to the cross-VM information flow.
Red Hat advisories detail mitigations through updated packages in errata RHSA-2026:11694, RHSA-2026:11695, RHSA-2026:11696, RHSA-2026:11698, and RHSA-2026:11700, which security practitioners should apply to vulnerable OVN deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25421
Vulnerability details
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of…
more
a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of the ovn-controller network service via crafted DHCPv6 packets, directly mapping to exploitation of a network-accessible application for information disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of DHCPv6 SOLICIT packet inputs, including Client ID lengths, to prevent out-of-bounds reads in ovn-controller.
Requires timely remediation of the specific flaw in ovn-controller via patches provided in Red Hat advisories, eliminating the vulnerability.
Ensures error handling during malformed packet processing does not disclose sensitive heap memory contents in responses to attackers.