CVE-2018-14636
Description
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Live-migrated OpenStack instances can eavesdrop on other tenants' network traffic due to untagged Open vSwitch ports.
Vulnerability
CVE-2018-14636 affects OpenStack Neutron versions before 13.0.0.0b2, 12.0.3, and 11.0.5. During live migration, an instance's port is temporarily connected to the Open vSwitch integration bridge without VLAN filtering, allowing the migrated instance to see traffic from other tenants on the same hypervisor. If the port is set administratively down before migration and kept down afterward, this exposure becomes permanent [1][2].
Exploitation
An attacker requires an OpenStack administrator (or automated process) to schedule a live migration for an instance under the attacker's control on a compute node using Open vSwitch self-service networks. The attacker's instance is initially created with a trunk port; during migration the port remains untagged, and if the port is kept administratively down, it stays in trunk mode indefinitely, enabling traffic inspection from other tenants [1][3].
Impact
A successful exploit allows the attacker's instance to receive traffic from and send traffic to other private networks on the same compute node, violating network isolation. This can lead to disclosure of sensitive data from co-tenant instances and unauthorized network access [1][2].
Mitigation
Red Hat and upstream OpenStack fixed this issue in Neutron versions 13.0.0.0b2, 12.0.3, and 11.0.5; the vulnerability is also addressed in OpenStack Platform versions 14.0.4, 13.0.9, and later [2][3]. Operators should upgrade Neutron to these patched versions. A workaround is to ensure ports are not left administratively down after live migration, and to monitor for unauthorized traffic [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neutronPyPI | >= 13.0.0.0b1, < 13.0.0.0b2 | 13.0.0.0b2 |
neutronPyPI | >= 12.0.0, < 12.0.3 | 12.0.3 |
neutronPyPI | >= 11.0.0, < 11.0.5 | 11.0.5 |
Affected products
2- The Openstack Project/openstack-neutronv5Range: 13.0.0.0b2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8q95-jj7p-x93xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14636ghsaADVISORY
- bugs.launchpad.net/neutron/+bug/1734320ghsax_refsource_CONFIRMWEB
- bugs.launchpad.net/neutron/+bug/1767422ghsax_refsource_CONFIRMWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/neutron/PYSEC-2018-94.yamlghsaWEB
News mentions
0No linked articles in our index yet.