CVE-2026-25804 is a vulnerability in Antrea, an open-source Kubernetes networking solution designed to be Kubernetes native. The issue stems from a uint16 arithmetic overflow in the network policy priority assignment mechanism. Antrea uses OpenFlow rules to enforce network policies, assigning priorities to these rules to determine traffic handling order. When a large number of policies with varying priority values are processed, the uint16 overflow causes incorrect priority calculations. This miscalculation can lead to improper enforcement of network policies, allowing unauthorized traffic flows or blocking legitimate ones. The vulnerability affects Antrea versions before 2.3.2 and versions from 2.4.0 up to 2.4.3, with the fix implemented in 2.4.3. The CVSS 4.0 base score is 8.0 (high), reflecting the vulnerability's remote exploitability without authentication or user interaction, and its significant impact on confidentiality and integrity. The vulnerability is categorized under CWE-287 (Improper Authentication) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the flaw arises from improper handling of priority values leading to overflow and incorrect access control enforcement. No known exploits have been reported yet, but the potential for bypassing network segmentation controls in Kubernetes environments is a serious concern. This vulnerability could be exploited by attackers to circumvent network policies, potentially enabling lateral movement, data exfiltration, or denial of service within Kubernetes clusters.

For European organizations, this vulnerability poses a significant risk to the security of Kubernetes-based infrastructure. Many enterprises and cloud providers in Europe rely on Kubernetes for container orchestration, and Antrea is a popular CNI (Container Network Interface) plugin in these environments. Incorrect enforcement of network policies can lead to unauthorized access between pods, exposing sensitive data and critical services. This undermines confidentiality and integrity, potentially allowing attackers to move laterally within clusters or disrupt services. Critical sectors such as finance, healthcare, telecommunications, and government services, which increasingly depend on Kubernetes for scalable and secure deployments, are particularly vulnerable. The vulnerability's remote exploitability without authentication increases the attack surface, especially in multi-tenant or hybrid cloud environments common in Europe. Failure to patch could result in regulatory compliance issues under GDPR and other data protection laws due to potential data breaches.

To mitigate this vulnerability, European organizations should immediately upgrade Antrea to version 2.4.3 or later, where the overflow bug is fixed. Prior to upgrading, audit existing network policies to identify unusually large or complex priority configurations that might trigger the overflow. Implement strict change management and monitoring of network policy deployments to detect anomalous traffic flows indicative of policy bypass. Employ network segmentation and zero-trust principles at multiple layers to reduce reliance on a single enforcement mechanism. Consider deploying runtime security tools that monitor Kubernetes network traffic for policy violations. Additionally, maintain up-to-date Kubernetes and CNI plugin versions, and subscribe to vendor security advisories. For environments where immediate upgrade is not feasible, restrict access to the Kubernetes API and control plane to trusted administrators and networks to reduce exploitation risk. Finally, document and test incident response plans for potential network policy breaches.