High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 27, 2026

CVE-2026-34992

Description

Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer. Impacted Users: users with dual-stack clusters and IPsec encryption enabled. Single-stack IPv4 or IPv6 clusters are not affected. This vulnerability is fixed in 2.4.5 and 2.5.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
antrea.io/antreaGo	>= 1.11.0	—
antrea.io/antreaGo	>= 2.5.0	—
antrea.io/antreaGo	< 1.11.0-alpha.0.0.20260225185322-738bad662b20	1.11.0-alpha.0.0.20260225185322-738bad662b20

Affected products

Linux Foundation/Antrea
cpe:2.3:a:linuxfoundation:antrea:*:*:*:*:*:kubernetes:*:*
Range: <2.4.5

Patches

738bad662b20

Support IPv6 traffic over IPv4 IPsec tunnel (#7759)

https://github.com/antrea-io/antreaXu LiuFeb 25, 2026via ghsa

commit

2 files changed · +19 −5

pkg/agent/controller/noderoute/node_route_controller.go+2 −1 modified

@@ -621,7 +621,8 @@ func (c *Controller) addNodeRoute(nodeName string, node *corev1.Node) error {
 	if c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeIPSec {
 		// Create a separate tunnel port for the Node, as OVS IPsec monitor needs to
 		// read PSK and remote IP from the Node's tunnel interface to create IPsec
-		// security policies.
+		// security policies. We use the Node's IPv4 address when present, and the
+		// Node's IPv6 address otherwise.
 		peerNodeIP := peerNodeIPs.IPv4
 		if peerNodeIP == nil {
 			peerNodeIP = peerNodeIPs.IPv6

pkg/agent/openflow/client.go+17 −4 modified

@@ -69,7 +69,8 @@ type Client interface {
 	// InstallNodeFlows should be invoked when a connection to a remote Node is going to be set
 	// up. The hostname is used to identify the added flows. When IPsec tunnel is enabled,
 	// ipsecTunOFPort must be set to the OFPort number of the IPsec tunnel port to the remote Node;
-	// otherwise ipsecTunOFPort must be set to 0.
+	// otherwise ipsecTunOFPort must be 0. In dual-stack, IPv6 traffic will be encapsulated in the
+	// IPv4 tunnel so it goes through the IPsec tunnel and gets encrypted.
 	// InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed
 	// successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent.
 	// Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they
@@ -571,6 +572,14 @@ func (c *client) InstallNodeFlows(hostname string,
 	c.replayMutex.RLock()
 	defer c.replayMutex.RUnlock()
 
+	// When IPsec is enabled, prioritize using the Node's IPv4 address for the tunnel endpoint.
+	// In dual-stack clusters, IPv6 traffic is encapsulated in IPv4 and transmitted through
+	// the IPsec tunnel.
+	ipsecTunnelEndpoint := tunnelPeerIPs.IPv4
+	if ipsecTunnelEndpoint == nil {
+		ipsecTunnelEndpoint = tunnelPeerIPs.IPv6
+	}
+
 	var flows []binding.Flow
 	localGatewayMAC := c.nodeConfig.GatewayConfig.MAC
 	for peerPodCIDR, peerGatewayIP := range peerConfigs {
@@ -585,11 +594,15 @@ func (c *client) InstallNodeFlows(hostname string,
 			// This flow replies to ARP requests sent from the local gateway asking for the MAC address of a remote peer gateway. It ensures that the local Node can reach any remote Pod.
 			flows = append(flows, c.featurePodConnectivity.arpResponderFlow(peerGatewayIP, GlobalVirtualMAC))
 		}
-		// tunnelPeerIP is the Node Internal Address. In a dual-stack setup, one Node has 2 Node Internal
-		// Addresses (IPv4 and IPv6) .
+		tunnelPeerForFlow := tunnelPeerIP
+		if ipsecTunOFPort != 0 {
+			tunnelPeerForFlow = ipsecTunnelEndpoint
+		}
+		// tunnelPeerIP is the Node Internal Address. In a dual-stack setup without IPsec enabled, one Node has 2 Node Internal
+		// Addresses (IPv4 and IPv6).
 		if (!isIPv6 && c.networkConfig.NeedsTunnelToPeer(tunnelPeerIPs.IPv4, c.nodeConfig.NodeTransportIPv4Addr)) ||
 			(isIPv6 && c.networkConfig.NeedsTunnelToPeer(tunnelPeerIPs.IPv6, c.nodeConfig.NodeTransportIPv6Addr)) {
-			flows = append(flows, c.featurePodConnectivity.l3FwdFlowsToRemoteViaTun(localGatewayMAC, *peerPodCIDR, tunnelPeerIP)...)
+			flows = append(flows, c.featurePodConnectivity.l3FwdFlowsToRemoteViaTun(localGatewayMAC, *peerPodCIDR, tunnelPeerForFlow)...)
 		} else {
 			flows = append(flows, c.featurePodConnectivity.l3FwdFlowToRemoteViaRouting(localGatewayMAC, remoteGatewayMAC, tunnelPeerIP, peerPodCIDR)...)
 			// Flow to forward the reply packets of Egress connections, whose request packets came from remote Pods

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/antrea-io/antrea/blob/main/docs/traffic-encryption.mdnvdPatchProductWEB
github.com/antrea-io/antrea/commit/738bad662b20a5d358d19466936176ef580a9b07nvdPatchWEB
github.com/antrea-io/antrea/pull/7757nvdIssue TrackingPatchWEB
github.com/antrea-io/antrea/pull/7759nvdIssue TrackingPatchWEB
github.com/antrea-io/antrea/security/advisories/GHSA-qcmw-8mm4-4p28nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-qcmw-8mm4-4p28ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34992ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000