CVE-2026-25804 is a vulnerability identified in Antrea, an open-source Kubernetes networking solution designed to be Kubernetes-native and provide network policy enforcement via OpenFlow rules. The vulnerability arises from a uint16 arithmetic overflow in the network policy priority assignment system. Specifically, when handling a large number of network policies with various priority values, the system incorrectly calculates OpenFlow priorities due to the overflow, which causes the priority values to wrap around. This results in incorrect enforcement of network policies, potentially allowing unauthorized traffic flows that should have been blocked or restricted. The flaw is categorized under CWE-287 (Improper Authentication) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the system fails to properly authenticate or validate priority assignments and does not handle resource limits correctly. The vulnerability affects Antrea versions prior to 2.3.2 and versions from 2.4.0 up to but not including 2.4.3. The issue has been addressed and patched in version 2.4.3. The CVSS 4.0 base score is 8.0 (high severity), reflecting the vulnerability's network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. No known exploits are currently reported in the wild, but the potential for unauthorized network traffic manipulation poses significant risks in Kubernetes environments relying on Antrea for network policy enforcement.

For European organizations, this vulnerability poses a significant risk to Kubernetes cluster security, especially those deploying Antrea for network policy enforcement. Incorrect OpenFlow priority calculations can lead to unauthorized network traffic flows, potentially exposing sensitive data or allowing lateral movement within the cluster. This undermines the confidentiality and integrity of internal communications and workloads. Organizations relying on Antrea in multi-tenant or regulated environments (such as finance, healthcare, or critical infrastructure) may face compliance violations and increased risk of data breaches. The vulnerability could also disrupt availability if malicious actors exploit it to bypass network segmentation or isolate critical services. Given the widespread adoption of Kubernetes and cloud-native technologies across Europe, failure to patch could lead to targeted attacks exploiting this flaw to compromise containerized workloads or evade network security controls.

European organizations should immediately upgrade Antrea to version 2.4.3 or later, where the vulnerability is patched. Until upgrades are possible, administrators should audit and limit the number of network policies and their priority values to reduce the risk of triggering the overflow condition. Implement strict network segmentation and monitoring to detect anomalous traffic flows that may indicate exploitation attempts. Employ Kubernetes network policy best practices, including least privilege and zero-trust principles, to minimize attack surface. Regularly review and update cluster security configurations and ensure that Antrea deployments are included in vulnerability management programs. Additionally, consider deploying runtime network monitoring tools capable of detecting deviations in expected traffic patterns caused by incorrect policy enforcement. Engage with Antrea community and vendor channels for updates and advisories.