{"id":5376,"date":"2026-06-17T12:47:57","date_gmt":"2026-06-17T10:47:57","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5376"},"modified":"2026-06-18T17:51:52","modified_gmt":"2026-06-18T15:51:52","slug":"security-advisories-cve-2026-46448","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-46448\/","title":{"rendered":"security-advisories\/cve-2026-46448"},"content":{"rendered":"<div data-elementor-type=\"wp-page\" data-elementor-id=\"5376\" class=\"elementor elementor-5376\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56e0628 e-flex e-con-boxed e-con e-parent\" data-id=\"56e0628\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-050bc69 elementor-widget elementor-widget-text-editor\" data-id=\"050bc69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1>YAOOK Security Advisory CVE-2026-46448<\/h1><ul><li>Date: 17 June 2026<\/li><li>Upstream advisory: <a href=\"https:\/\/security.openstack.org\/ossa\/OSSA-2026-022.html\">https:\/\/security.openstack.org\/ossa\/OSSA-2026-022.html<\/a><\/li><\/ul><h2>What are CVE-2026-46448 and how do they affect YAOOK?<\/h2><div>Erichen from the Institute of Computing Technology, Chinese Academy of Sciences, reported that Nova\u2019s server create API does not strip internal scheduler hints. An authenticated user can bypass placement resource claims and the enforcement of scheduling constraints, including restrictions relating to availability zones, host aggregates and image traits. The resulting instance has no placement allocation, which can lead to the exhaustion of compute node resources and cross-tenant data persistence on NVMe devices after the instance is deleted.<\/div><h2>Is my cluster vulnerable?<\/h2><div>The following images are vulnerable:<\/div><ul><li>nova images prior to 1.1.141<\/li><li>yaook release before 2.4.0<\/li><\/ul><div>If this image is used in your cluster for the nova-api\/nova-scheduler deployment, the cluster is vulnerable.<\/div><div>\u00a0<\/div><div>The image was <a href=\"https:\/\/gitlab.com\/yaook-security\/images\/nova\/-\/pipelines\/2590854747\">pre-build and a private pipeline<\/a> It\u2019s now been published, so you can have a look.<\/div><h2>Upgrading<\/h2><div>A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.<\/div><div>\u00a0<\/div><div>However, we recommend adding a <a title=\"https:\/\/docs.yaook.cloud\/user\/references\/env-reference.html#envvar-YAOOK_OP_VERSIONS_OVERRIDE\" href=\"https:\/\/docs.yaook.cloud\/user\/references\/env-reference.html#envvar-YAOOK_OP_VERSIONS_OVERRIDE\" target=\"_blank\" rel=\"noopener noreferrer\">YAOOK_OP_VERSIONS_OVERRIDE<\/a> variable to your Nova operator container to pull the image before the YAOOK comprehensive release is ready.<\/div><div>\u00a0<\/div><div>The best way to do this is to set the following in the values.yaml file of your nova-operator (make sure to merge this correctly with any existing values.yaml file, if you have one).<\/div><pre class=\"rcx-box rcx-box--full rcx-css-1siaxf\" role=\"region\" data-code-block-wrapper=\"true\"><code class=\"code-colors language-yaml hljs\"><span class=\"hljs-attr\">operator:<\/span>\n    <span class=\"hljs-attr\">extraEnv:<\/span>\n    <span class=\"hljs-bullet\">-<\/span> <span class=\"hljs-attr\">name:<\/span> <span class=\"hljs-string\">YAOOK_OP_VERSIONS_OVERRIDE<\/span>\n    <span class=\"hljs-attr\">value:<\/span> <span class=\"hljs-string\">|\n {\n \"registry.yaook.cloud\/yaook\/nova-2023.2\": \"registry.yaook.cloud\/yaook\/nova-2023.2:1.1.141\",\n            \"registry.yaook.cloud\/yaook\/nova-2024.1\": \"registry.yaook.cloud\/yaook\/nova-2024.1:1.1.141\",\n \"registry.yaook.cloud\/yaook\/nova-2024.2\": \"registry.yaook.cloud\/yaook\/nova-2024.2:1.1.141\",\n \"registry.yaook.cloud\/yaook\/nova-2025.1\": \"registry.yaook.cloud\/yaook\/nova-2025.1:1.1.141\"\n }<\/span><\/code><\/pre><div>If you are not using Helm, you can add the environment variable to the <code class=\"code-colors inline\">env<\/code> section of your nova-operator\u2019s Deployment\u2019s pod template.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory CVE-2026-46448 Date: 2026-06-17 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-022.html What are CVE-2026-46448 and how do they affect YAOOK? Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova\u2019s server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5376","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/cve-2026-46448 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-46448\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/cve-2026-46448 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory CVE-2026-46448 Date: 2026-06-17 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-022.html What are CVE-2026-46448 and how do they affect YAOOK? Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova\u2019s server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-46448\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-18T15:51:52+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-46448\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-46448\\\/\",\"name\":\"security-advisories\\\/cve-2026-46448 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2026-06-17T10:47:57+00:00\",\"dateModified\":\"2026-06-18T15:51:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-46448\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-46448\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-46448\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/cve-2026-46448\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/cve-2026-46448 \u00bb Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-46448\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/cve-2026-46448 &#187; Yaook","og_description":"YAOOK Security Advisory CVE-2026-46448 Date: 2026-06-17 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-022.html What are CVE-2026-46448 and how do they affect YAOOK? Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova\u2019s server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-46448\/","og_site_name":"Yaook","article_modified_time":"2026-06-18T15:51:52+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-46448\/","url":"https:\/\/yaook.cloud\/security-advisories-cve-2026-46448\/","name":"security-advisories\/cve-2026-46448 \u00bb Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2026-06-17T10:47:57+00:00","dateModified":"2026-06-18T15:51:52+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-46448\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-cve-2026-46448\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-46448\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/cve-2026-46448"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5376"}],"version-history":[{"count":10,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5376\/revisions"}],"predecessor-version":[{"id":5391,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5376\/revisions\/5391"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}