CVE-2026-5367
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6)
CVSS
8.6
High
EPSS
0.9%
p55
KEV
—
Exploit Today
16
0-100
Published: Apr 24, 2026 · Last modified: Jul 15, 2026 · CWE-130
0.9%EPSS · 30 days0.9%
2026-06-302026-07-16
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11694
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11695
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11696
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11698
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11700
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11701
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11702
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22110
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22111
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-5367
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2455863
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/20/3
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/20/5
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11694
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11695
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11696
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11698
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11700
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11701
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11702
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-338467.5 HIG66.4%
——20A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.2dCVE-2026-422169.1 CRI37.3%
——11OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.2dCVE-2026-431259.8 CRI34.6%
——10In the Linux kernel, the following vulnerability has been resolved:
dlm: validate length in dlm_search_rsb_tree
The len parameter in dlm_dump_rsb_name() is not validated and comes
from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can
cause out-of-bounds write in dlm_search_rsb_tree().
Add length validation to prevent potential buffer overflow.2dCVE-2026-410357.4 HIG31.5%
——9In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.2dCVE-2026-43717.4 HIG28.3%
——8A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.2dCVE-2026-418985.3 MED20.0%
——6rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.2d