Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-130
Improper Handling of Length Parameter Inconsistency
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
CVE-2026-5367 (GCVE-0-2026-5367)
Vulnerability from cvelistv5 – Published: 2026-04-24 12:25 – Updated: 2026-06-30 12:10
VLAI
EPSS
VEX
Title
Ovn: ovn: information disclosure via crafted dhcpv6 packets
Summary
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
14 references
Impacted products
15 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 |
Unaffected:
0:25.03.2-100.el10fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 |
Unaffected:
0:25.09.2-103.el10fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 |
Unaffected:
0:21.12.0-145.el8fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:8::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 |
Unaffected:
0:23.06.4-30.el8fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:8::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
Unaffected:
0:23.06.4-30.el9fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
Unaffected:
0:23.09.6-16.el9fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
Unaffected:
0:24.03.7-82.el9fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
Unaffected:
0:25.03.2-100.el9fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
Unaffected:
0:25.09.2-103.el9fdp , < *
(rpm)
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Fast Datapath for RHEL 8 |
cpe:/o:redhat:enterprise_linux:8::fastdatapath |
|
| Red Hat | Fast Datapath for RHEL 9 |
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8::fastdatapath |
|
| Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9::fastdatapath |
Date Public
2026-04-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-24T13:37:14.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/20/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/20/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:58:51.939172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:08.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10::fastdatapath"
],
"defaultStatus": "affected",
"product": "Fast Datapath for Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "affected",
"product": "Fast Datapath for Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "affected",
"product": "Fast Datapath for RHEL 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"product": "Fast Datapath for RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker\u0027s virtual machine port."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:32.848Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-5367"
},
{
"name": "RHBZ#2455863",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5367.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22110"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22111"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11694"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11696"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11698"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11700"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11701"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11702"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:22110: Fast Datapath for Red Hat Enterprise Linux 10"
},
{
"lang": "en",
"value": "RHSA-2026:22111: Fast Datapath for Red Hat Enterprise Linux 10"
},
{
"lang": "en",
"value": "RHSA-2026:11694: Fast Datapath for Red Hat Enterprise Linux 8"
},
{
"lang": "en",
"value": "RHSA-2026:11695: Fast Datapath for Red Hat Enterprise Linux 8"
},
{
"lang": "en",
"value": "RHSA-2026:11696: Fast Datapath for Red Hat Enterprise Linux 9"
},
{
"lang": "en",
"value": "RHSA-2026:11698: Fast Datapath for Red Hat Enterprise Linux 9"
},
{
"lang": "en",
"value": "RHSA-2026:11700: Fast Datapath for Red Hat Enterprise Linux 9"
},
{
"lang": "en",
"value": "RHSA-2026:11701: Fast Datapath for Red Hat Enterprise Linux 9"
},
{
"lang": "en",
"value": "RHSA-2026:11702: Fast Datapath for Red Hat Enterprise Linux 9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-07T08:10:53.507Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Made public."
}
],
"title": "ovn: OVN: Information disclosure via crafted DHCPv6 packets",
"workarounds": [
{
"lang": "en",
"value": "The only potential mitigation is to disable the DHCPv6 feature for\nworkloads attached to OVN logical ports, e.g.:\n\novn-nbctl clear logical_switch_port \u003cworkload-port\u003e dhcpv6_options.\n\nWe do not recommend mitigating the vulnerability this way because it\nwill also disable legitimate DHCPv6 traffic originating from\nworkloads connected to logical switch ports."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn25.03",
"product": "Fast Datapath for Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:25.03.2-100.el10fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn25.09",
"product": "Fast Datapath for Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:25.09.2-103.el10fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn-2021",
"product": "Fast Datapath for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:21.12.0-145.el8fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn23.06",
"product": "Fast Datapath for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:23.06.4-30.el8fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn23.06",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:23.06.4-30.el9fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn23.09",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:23.09.6-16.el9fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn24.03",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:24.03.7-82.el9fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn25.03",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:25.03.2-100.el9fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn25.09",
"product": "Fast Datapath for Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:25.09.2-103.el9fdp",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "unaffected",
"packageName": "ovn2.11",
"product": "Fast Datapath for RHEL 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "unaffected",
"packageName": "ovn2.12",
"product": "Fast Datapath for RHEL 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "unaffected",
"packageName": "ovn2.13",
"product": "Fast Datapath for RHEL 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn23.03",
"product": "Fast Datapath for RHEL 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn-2021",
"product": "Fast Datapath for RHEL 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::fastdatapath"
],
"defaultStatus": "affected",
"packageName": "ovn23.03",
"product": "Fast Datapath for RHEL 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn22.06",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn22.09",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn22.12",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn23.03",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ovn23.06",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn23.09",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ovn24.03",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "ovn24.09",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ovn25.03",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker\u0027s virtual machine port."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T02:48:19.206Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:11694",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11694"
},
{
"name": "RHSA-2026:11695",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11695"
},
{
"name": "RHSA-2026:11696",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11696"
},
{
"name": "RHSA-2026:11698",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11698"
},
{
"name": "RHSA-2026:11700",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11700"
},
{
"name": "RHSA-2026:11701",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11701"
},
{
"name": "RHSA-2026:11702",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11702"
},
{
"name": "RHSA-2026:22110",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22110"
},
{
"name": "RHSA-2026:22111",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22111"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-5367"
},
{
"name": "RHBZ#2455863",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455863"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-07T08:10:53.507Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Ovn: ovn: information disclosure via crafted dhcpv6 packets",
"workarounds": [
{
"lang": "en",
"value": "The only potential mitigation is to disable the DHCPv6 feature for\nworkloads attached to OVN logical ports, e.g.:\n\novn-nbctl clear logical_switch_port \u003cworkload-port\u003e dhcpv6_options.\n\nWe do not recommend mitigating the vulnerability this way because it\nwill also disable legitimate DHCPv6 traffic originating from\nworkloads connected to logical switch ports."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-130: Improper Handling of Length Parameter Inconsistency"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-5367",
"datePublished": "2026-04-24T12:25:05.024Z",
"dateReserved": "2026-04-01T18:39:05.229Z",
"dateUpdated": "2026-06-30T12:10:32.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5766 (GCVE-0-2026-5766)
Vulnerability from cvelistv5 – Published: 2026-05-05 14:49 – Updated: 2026-05-06 15:25
VLAI
EPSS
VEX
Title
Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
Summary
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kyle Agronick for reporting this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.djangoproject.com/en/dev/releases/se… | vendor-advisory |
| https://groups.google.com/g/django-announce | mailing-list |
| https://www.djangoproject.com/weblog/2026/may/05/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | Django |
Affected:
6.0 , < 6.0.5
(python)
Unaffected: 6.0.5 (python) Affected: 5.2 , < 5.2.14 (python) Unaffected: 5.2.14 (python) |
Date Public
2026-05-05 09:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T17:03:20.935294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:25:38.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "6.0.5",
"status": "affected",
"version": "6.0",
"versionType": "python"
},
{
"status": "unaffected",
"version": "6.0.5",
"versionType": "python"
},
{
"lessThan": "5.2.14",
"status": "affected",
"version": "5.2",
"versionType": "python"
},
{
"status": "unaffected",
"version": "5.2.14",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kyle Agronick"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Sarah Boyce"
}
],
"datePublic": "2026-05-05T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kyle Agronick for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\r\n \r\nAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kyle Agronick for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130: Excessive Allocation"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "low"
},
"type": "Django severity rating"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T14:49:19.715Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 6.0.5 and 5.2.14",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-05-12T10:32:17.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2026-04-07T10:32:20.000Z",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2026-05-05T09:00:00.000Z",
"value": "Security release issued."
}
],
"title": "Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2026-5766",
"datePublished": "2026-05-05T14:49:19.715Z",
"dateReserved": "2026-04-07T19:29:07.042Z",
"dateUpdated": "2026-05-06T15:25:38.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6432 (GCVE-0-2026-6432)
Vulnerability from cvelistv5 – Published: 2026-06-25 13:49 – Updated: 2026-06-25 15:33
VLAI
EPSS
VEX
Title
Improper bounds validation in EmberZNet SDK
Summary
Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://siliconlabs.lightning.force.com/sfc/servl… | vendor-advisorypermissions-required |
| https://github.com/SiliconLabsSoftware/sisdk-release | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Silicon Labs | SiSDK |
Affected:
0 , ≤ 2025.12 and earlier
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:33:12.084091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:33:19.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EmberZNet",
"product": "SiSDK",
"repo": "https://github.com/SiliconLabs/simplicity_sdk",
"vendor": "Silicon Labs",
"versions": [
{
"lessThanOrEqual": "2025.12 and earlier",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Junming C. (@Chapoly1305) and Prof. Qiang Zeng of George Mason University"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage."
}
],
"value": "Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:49:37.685Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"tags": [
"vendor-advisory",
"permissions-required"
],
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pYDOwIAO?operationContext=S1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/SiliconLabsSoftware/sisdk-release"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper bounds validation in EmberZNet SDK",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2026-6432",
"datePublished": "2026-06-25T13:49:37.685Z",
"dateReserved": "2026-04-16T17:02:59.346Z",
"dateUpdated": "2026-06-25T15:33:19.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.
Mitigation
Phase: Implementation
Description:
- Do not let the user control the size of the buffer.
Mitigation
Phase: Implementation
Description:
- Validate that the length of the user-supplied data is consistent with the buffer size.
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.