{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ovn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-5367"}],"_cs_exploited":false,"_cs_products":["OVN"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","network"],"_cs_type":"advisory","_cs_vendors":["Open Virtual Network"],"content_html":"\u003cp\u003eCVE-2026-5367 describes a critical vulnerability affecting Open Virtual Network (OVN). A remote attacker can exploit this flaw by sending specially crafted DHCPv6 SOLICIT packets to the OVN controller. These packets contain an inflated Client ID length, which causes the \u003ccode\u003eovn-controller\u003c/code\u003e process to read beyond the allocated memory buffer. This out-of-bounds read allows the attacker to potentially access sensitive information stored in the heap memory, which can then be disclosed back to the attacker\u0026rsquo;s virtual machine port. Successful exploitation grants unauthorized access to potentially sensitive data within the OVN environment, impacting confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OVN deployment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious DHCPv6 SOLICIT packet. The packet includes an inflated Client ID length field.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DHCPv6 SOLICIT packet to the OVN controller.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eovn-controller\u003c/code\u003e receives the packet and attempts to process the DHCPv6 Client ID option.\u003c/li\u003e\n\u003cli\u003eDue to the inflated Client ID length, the \u003ccode\u003eovn-controller\u003c/code\u003e reads beyond the bounds of the allocated memory buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds read accesses sensitive information residing in the heap memory.\u003c/li\u003e\n\u003cli\u003eThe compromised data is included in the DHCPv6 response sent back to the attacker\u0026rsquo;s virtual machine port.\u003c/li\u003e\n\u003cli\u003eAttacker receives the DHCPv6 response containing the disclosed sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5367 leads to the disclosure of sensitive information stored in the heap memory of the \u003ccode\u003eovn-controller\u003c/code\u003e. The attacker can potentially gain access to configuration data, cryptographic keys, or other sensitive data, allowing them to further compromise the OVN environment or gain unauthorized access to other resources within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious DHCPv6 SOLICIT packets with unusually long Client ID lengths targeting the OVN controller, utilizing the network_connection rule provided below.\u003c/li\u003e\n\u003cli\u003eAnalyze DHCPv6 server logs for errors related to invalid Client ID lengths or out-of-bounds memory access, leveraging the linux process_creation rule provided below if auditd captures such events.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates provided by the OVN project to address CVE-2026-5367.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T13:16:21Z","date_published":"2026-04-24T13:16:21Z","id":"/briefs/2026-04-ovn-dhcpv6-oob-read/","summary":"A remote attacker can exploit an out-of-bounds read vulnerability in Open Virtual Network (OVN) by sending crafted DHCPv6 SOLICIT packets, leading to sensitive information disclosure.","title":"OVN DHCPv6 Out-of-Bounds Read Vulnerability (CVE-2026-5367)","url":"https://feed.craftedsignal.io/briefs/2026-04-ovn-dhcpv6-oob-read/"}],"language":"en","title":"CraftedSignal Threat Feed — OVN","version":"https://jsonfeed.org/version/1.1"}