Medium severity6.5NVD Advisory· Published Apr 24, 2026· Updated Apr 29, 2026
CVE-2026-5265
CVE-2026-5265
Description
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- www.openwall.com/lists/oss-security/2026/04/20/2nvd
- www.openwall.com/lists/oss-security/2026/04/20/4nvd
- access.redhat.com/errata/RHSA-2026:11694nvd
- access.redhat.com/errata/RHSA-2026:11695nvd
- access.redhat.com/errata/RHSA-2026:11696nvd
- access.redhat.com/errata/RHSA-2026:11698nvd
- access.redhat.com/errata/RHSA-2026:11700nvd
- access.redhat.com/errata/RHSA-2026:11701nvd
- access.redhat.com/errata/RHSA-2026:11702nvd
- access.redhat.com/security/cve/CVE-2026-5265nvd
- bugzilla.redhat.com/show_bug.cginvd
News mentions
0No linked articles in our index yet.