Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
AnalysisAI
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Low-privileged authenticated access to the OpenStack Ironic API is required (CVSS PR:L); unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.3 Medium with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L places this as network-reachable but requiring low-privileged credentials, with only partial availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged OpenStack account submits a bare-metal provisioning request to the Ironic API, specifying file:///dev/zero as the image URL. The Ironic conductor accepts the request and begins computing a checksum against /dev/zero, which returns null bytes indefinitely. … |
| Remediation | The upstream fix is available at commit a3f6d735ac3642ab95b49142c7305f072ae748d0 (https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0); operators should apply this commit or upgrade to a downstream distribution package that includes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30209
GHSA-4g73-w726-53h3