MEDIUM 5.4 PyPI
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
GHSA-mfg3-p6m3-gjgr · CVE-2026-46448
Published · Modified
Description
Affects
- Nova: >=18.0.0 <31.3.1, >=32.0.0 <32.2.1, >=33.0.0 <33.0.2
Description
Erichen from the Institute of Computing Technology, Chinese Academy of
Sciences reported that Nova's server create API does not strip internal
scheduler hints. An authenticated user can bypass Placement resource
claims and scheduling constraint enforcement, including availability
zone, host aggregate, and image trait restrictions. The resulting
instance has no Placement allocation, which can lead to compute node
resource exhaustion and cross-tenant data persistence on NVMe devices
after instance deletion. Deployments running Nova 18.0.0 or later are
affected.
Patches
- https://review.opendev.org/993604 (2025.1/epoxy)
- https://review.opendev.org/993603 (2025.2/flamingo)
- https://review.opendev.org/993602 (2026.1/gazpacho)
- https://review.opendev.org/993601 (2026.2/hibiscus)
Credits
- Erichen from Institute of Computing Technology, Chinese Academy of
Sciences (CVE-2026-46448)
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-46448
- WEB https://bugs.launchpad.net/nova/+bug/2151252
- PACKAGE https://github.com/openstack/nova
- WEB https://review.opendev.org/993601
- WEB https://review.opendev.org/993602
- WEB https://review.opendev.org/993603
- WEB https://review.opendev.org/993604
- WEB https://www.openwall.com/lists/oss-security/2026/06/16/5
- WEB http://www.openwall.com/lists/oss-security/2026/06/16/5
Ready to move
Start Securing
Free, no credit card | First findings in minutes