Skip to main content

OpenStack Nova CVE-2026-46448

| EUVDEUVD-2026-37218 HIGH
Incorrect Resource Transfer Between Spheres (CWE-669)
8.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (CNA) PRIMARY
MEDIUM
qualitative
NVD
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
vuln.today AI
8.5 HIGH

Network API reachable (AV:N) with low complexity, exploitable by an ordinary authenticated tenant (PR:L); broken cross-service resource accounting (S:C, I:L) enables host resource exhaustion (A:H) with no confidentiality impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (CNA).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 15:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 15:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 15:52 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 15:52 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 15:52 NVD
5.4 (MEDIUM) 8.5 (HIGH)
Patch available
Jun 16, 2026 - 21:02 EUVD
CVSS changed
Jun 16, 2026 - 20:22 NVD
5.4 (MEDIUM)
Analysis Generated
Jun 16, 2026 - 16:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Nova API with tenant credentials
Delivery
Call server-create with unstripped scheduler hint data
Exploit
Instance boots without Placement allocation
Execution
Repeat to consume untracked host resources
Persist
Compute host over-subscribed
Impact
Availability degraded for co-located tenants

Vulnerability AssessmentAI

Exploitation Requires valid authenticated access to the OpenStack Identity/Nova API at a privilege level able to call the server-create (boot instance) endpoint and supply scheduler hint data (consistent with CVSS PR:L) - i.e., an ordinary tenant/project member, not necessarily an admin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user holding valid credentials for any project on the cloud calls the Nova server-create API with crafted scheduler hint data that is not stripped, causing Nova to boot the instance while skipping creation of its Placement allocation. The attacker repeats this to launch VMs that consume real CPU, memory, and disk invisibly to the scheduler's accounting, eventually exhausting a compute host and degrading or denying service to other tenants' workloads. …
Remediation Upgrade Nova to a fixed release on your branch: Vendor-released patch 33.0.2 for the 33.x line, 32.2.1 for the 32.x line, and 31.3.1 for the 18.0.0-31.x range. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all OpenStack deployments, confirm Nova versions in use, and verify Placement service integration status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-46448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy