Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN642 _____________________________________________________________________ DATE : 17/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nova versions prior to 31.3.1, 32.2.1, 33.0.2. ===================================================================== https://security.openstack.org/ossa/OSSA-2026-022.html _____________________________________________________________________ OSSA-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints Date: June 16, 2026 CVE: CVE-2026-46448 Affects Nova: >=18.0.0 <31.3.1, >=32.0.0 <32.2.1, >=33.0.0 <33.0.2 Description Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova’s server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability zone, host aggregate, and image trait restrictions. The resulting instance has no Placement allocation, which can lead to compute node resource exhaustion and cross-tenant data persistence on NVMe devices after instance deletion. Deployments running Nova 18.0.0 or later are affected. Patches https://review.opendev.org/993604 (2025.1/epoxy) https://review.opendev.org/993603 (2025.2/flamingo) https://review.opendev.org/993602 (2026.1/gazpacho) https://review.opendev.org/993601 (2026.2/hibiscus) Credits Erichen from Institute of Computing Technology, Chinese Academy of Sciences (CVE-2026-46448) References https://launchpad.net/bugs/2151252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46448 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================