OVN Out-of-Bounds Read Exposes Heap Memory via DHCPv6
The National Vulnerability Database (NVD) has detailed CVE-2026-5367, a high-severity flaw in Open Virtual Network (OVN). This vulnerability, rated 8.6 CVSS, allows a remote attacker to trigger an out-of-bounds read in the ovn-controller. The attack vector is particularly insidious: sending specially crafted DHCPv6 SOLICIT packets with an inflated Client ID length.
This memory corruption isn’t just a crash; it leads directly to sensitive information disclosure. The ovn-controller reads beyond the allocated packet buffer, exposing heap memory contents. Crucially, this leaked data is then returned to the attacker’s virtual machine port. For organizations relying on OVN for their virtual networking infrastructure, this presents a critical risk, allowing adversaries to harvest internal system details.
Attackers are always looking for ways to bypass network segmentation and gain internal reconnaissance. This OVN vulnerability provides a direct channel for an unauthenticated remote attacker to exfiltrate heap memory. Defenders must prioritize patching OVN environments. This isn’t theoretical; it’s a clear path to internal data exposure for anyone with network access to OVN-managed systems.
What This Means For You
- If your organization utilizes Open Virtual Network (OVN), you need to assess your exposure to CVE-2026-5367 immediately. This vulnerability allows remote attackers to extract sensitive heap memory contents. Prioritize patching OVN components and review network segmentation around OVN-managed virtual networks to limit potential attacker reach.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5367 - OVN DHCPv6 Out-of-Bounds Read
title: CVE-2026-5367 - OVN DHCPv6 Out-of-Bounds Read
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
Detects potential exploitation of CVE-2026-5367 by identifying DHCPv6 traffic (UDP port 547) originating from and destined to internal IP ranges, which could indicate an attacker attempting to trigger the out-of-bounds read vulnerability in ovn-controller by sending crafted SOLICIT packets.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5367/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: firewall
detection:
selection:
dst_port:
- 547
src_ip|contains:
- "10."
- "192.168."
dst_ip|contains:
- "10."
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5367 | Information Disclosure | OVN (Open Virtual Network) ovn-controller |
| CVE-2026-5367 | Buffer Overflow | Crafted DHCPv6 SOLICIT packets with inflated Client ID length |
| CVE-2026-5367 | Memory Corruption | Out-of-bounds read in ovn-controller |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-42095 — bookserver in KDE Arianna before 26.04.1 allows attackers
CVE-2026-42095 — bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.
Mythos Unauthorized Access, CISA Nom Withdrawal, New Display Security
SecurityWeek reported on several under-the-radar stories this week, including unauthorized access to Mythos, the withdrawal of Plankey's CISA nomination, and the introduction of a new...
CVE-2026-5265 — When generating an ICMP Destination Unreachable or Packet
CVE-2026-5265 — When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP...