YAOOK Security Advisory for CVE-2026-5265 and CVE-2026-5367

• Date: 2026-05-26
• Upstream advisory: https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000394.html and https://mail.openvswitch.org/pipermail/ovs-announce/2026-April/000395.html

What is CVE-2026-5265 and how does it affect YAOOK?

If OVN generates icmp error messages (for whatever reason) the icmp packet contains
parts of the error generating packet. Users can trick OVN into reading past the original
packet for at most 576 bytes.

You can generally assume your cluster is affected by this.

What is CVE-2026-5367 and how does it affect YAOOK?

If OVN handles dhcpv6 and provides dhcpv6 options to users then an attacker can trick
OVN into reading memory outside of the original packet.

Only ports that have `dhcpv6_options` set on the LSP.

Is my cluster vulnerable?

The following images are vulnerable:

• ovn images before 1.0.153
• yaook release before v2.3.0 (<=v2.2.0)

If any of these images are used in your cluster, the cluster is vulnerable.

Upgrading

A new stable release will be published according to the release cycle.
You can upgrade to that release simply by updating your operators.

If you want to upgrade in advance you can pin your ovn image to
v24.09.3-1.0.153 in the neutron-operator:

values:
  operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
      value: |
        registry.yaook.cloud/yaook/ovn: registry.yaook.cloud/yaook/ovn:v24.09.3-1.0.153