CVE-2026-5265
Published: Apr 24, 2026
Modified: Jun 1, 2026
CVSS v3.1
6.5
Description
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
| Vendor | Product | Versions |
|---|---|---|
Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 | unaffected 0:25.03.2-100.el10fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 | unaffected 0:25.09.2-103.el10fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | unaffected 0:21.12.0-145.el8fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | unaffected 0:23.06.4-30.el8fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:23.06.4-30.el9fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:23.09.6-16.el9fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:24.03.7-82.el9fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:25.03.2-100.el9fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:25.09.2-103.el9fdp - < * |
Red Hat | Fast Datapath for RHEL 7 | All versions |
Red Hat | Fast Datapath for RHEL 7 | All versions |
Red Hat | Fast Datapath for RHEL 7 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 8 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Red Hat | Fast Datapath for RHEL 9 | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now