Skip to main content

CVE-2026-34992

HIGH
Missing Encryption of Sensitive Data (CWE-311)
2026-04-03 https://github.com/antrea-io/antrea GHSA-qcmw-8mm4-4p28
Authentication Bypass
7.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 23:52 vuln.today
cvss_changed
Analysis Generated
Apr 03, 2026 - 04:15 vuln.today
Patch released
Apr 03, 2026 - 04:15 nvd
Patch available
CVE Published
Apr 03, 2026 - 04:02 nvd
HIGH 7.1

DescriptionNVD

Impact

This is a missing encryption vulnerability (CWE-311) affecting inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic.

While the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer.

Impacted Users: users with dual-stack clusters and IPsec encryption enabled.

Single-stack IPv4 or IPv6 clusters are not affected.

Patches

Yes, the issue has been patched: https://github.com/antrea-io/antrea/pull/7759 Users should upgrade to one of the following versions:

  • Antrea v2.6.0 or later
  • Antrea v2.5.2
  • Antrea v2.4.5

Antrea recommends running the antctl check installation --run ipsec tool after upgrading to verify that both address families are correctly producing ESP traffic.

Workarounds

There is no configuration workaround to enable IPsec IPv6 in affected versions. If an immediate upgrade is not possible, user may consider using WireGuard instead for inter-Node Pod traffic encryption. The WireGuard support in Antrea does *not* suffer from the same issue.

Resources

Pull Request with Fix: antrea-io/antrea#7759 Validation Tool PR: antrea-io/antrea#7757 Antrea Documentation: Traffic Encryption Guide

AnalysisAI

IPv6 Pod traffic in Antrea dual-stack Kubernetes clusters transmits in plaintext despite IPsec encryption configuration, exposing inter-node communication to network eavesdropping. Affects Antrea versions prior to 2.6.0, 2.5.2, and 2.4.5 when dual-stack networking is enabled with trafficEncryptionMode: ipsec. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Verify Antrea version and dual-stack + IPsec configuration in production clusters using 'kubectl get daemonset -n kube-system antrea -o yaml'. Within 7 days: Apply vendor-released patches-upgrade to Antrea 2.6.0, 2.5.2, or 2.4.5 (select version matching your current release branch) and restart affected nodes via rolling updates. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-34992 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy