CVE-2026-5265: ovn-controller ICMP Error Copies Partial Out-of-Bounds Heap Data
CVE-2026-5265 Published on April 24, 2026

Ovn: ovn: heap over-read in icmp error response generation - security issue
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.

NVD

Vulnerability Analysis

CVE-2026-5265 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 13 days later.

Weakness Type

What is a length manipulation Vulnerability?

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.

CVE-2026-5265 has been classified to as a length manipulation vulnerability or weakness.


Products Associated with CVE-2026-5265

Want to know whenever a new CVE is published for Red Hat Enterprise Linux (RHEL)? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)
 

Affected Versions

Red Hat Fast Datapath for RHEL 7: Red Hat Fast Datapath for RHEL 7: Red Hat Fast Datapath for RHEL 7: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 8: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: Red Hat Fast Datapath for RHEL 9: