YAOOK Security Advisory CVE-2026-46448

What are CVE-2026-46448 and how do they affect YAOOK?

Erichen from the Institute of Computing Technology, Chinese Academy of Sciences, reported that Nova’s server create API does not strip internal scheduler hints. An authenticated user can bypass placement resource claims and the enforcement of scheduling constraints, including restrictions relating to availability zones, host aggregates and image traits. The resulting instance has no placement allocation, which can lead to the exhaustion of compute node resources and cross-tenant data persistence on NVMe devices after the instance is deleted.

Is my cluster vulnerable?

The following images are vulnerable:
  • nova images prior to 1.1.141
  • yaook release before 2.4.0
If this image is used in your cluster for the nova-api/nova-scheduler deployment, the cluster is vulnerable.
 
The image was pre-build and a private pipeline It’s now been published, so you can have a look.

Upgrading

A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.
 
However, we recommend adding a YAOOK_OP_VERSIONS_OVERRIDE variable to your Nova operator container to pull the image before the YAOOK comprehensive release is ready.
 
The best way to do this is to set the following in the values.yaml file of your nova-operator (make sure to merge this correctly with any existing values.yaml file, if you have one).
operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
    value: |
 {
 "registry.yaook.cloud/yaook/nova-2023.2": "registry.yaook.cloud/yaook/nova-2023.2:1.1.141",
            "registry.yaook.cloud/yaook/nova-2024.1": "registry.yaook.cloud/yaook/nova-2024.1:1.1.141",
 "registry.yaook.cloud/yaook/nova-2024.2": "registry.yaook.cloud/yaook/nova-2024.2:1.1.141",
 "registry.yaook.cloud/yaook/nova-2025.1": "registry.yaook.cloud/yaook/nova-2025.1:1.1.141"
 }
If you are not using Helm, you can add the environment variable to the env section of your nova-operator’s Deployment’s pod template.
de_DE_formal
de_DE_formal