Red Hat has issued a security advisory (RHSA-2026:11700) for ovn24.03 in the Fast Datapath for Red Hat Enterprise Linux 9 addressing two vulnerabilities: CVE-2026-5265, a heap over-read in ICMP error response generation, and CVE-2026-5367, an information disclosure vulnerability via crafted DHCPv6 packets. OVN is a system that supports virtual network abstraction and complements Open vSwitch capabilities. The advisory provides updated packages for multiple architectures including x86_64, ppc64le, s390x, and aarch64. The vulnerabilities have been assigned an Important severity rating by Red Hat, though no CVSS scores are provided in the advisory. The update is available through official Red Hat channels, and detailed instructions for applying the update are provided in the referenced Red Hat article.

The heap over-read vulnerability (CVE-2026-5265) could lead to potential memory safety issues during ICMP error response generation in OVN, possibly causing crashes or unintended behavior. The information disclosure vulnerability (CVE-2026-5367) could allow an attacker to gain unauthorized information by sending crafted DHCPv6 packets. Both vulnerabilities affect the security and stability of virtual network abstractions managed by OVN in Red Hat Fast Datapath for RHEL 9. Red Hat rates the overall security impact as Important, indicating a high level of risk if unpatched. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated ovn24.03 packages for Fast Datapath on Red Hat Enterprise Linux 9 that address these vulnerabilities. Users should apply these official security updates promptly following Red Hat's published guidance (https://access.redhat.com/articles/11258). Since this is an official fix, applying the update fully mitigates the vulnerabilities. No additional or alternative mitigations are indicated or required by the vendor advisory.