GHSA-mfg3-p6m3-gjgr
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Network API reachable (AV:N) with low complexity, exploitable by an ordinary authenticated tenant (PR:L); broken cross-service resource accounting (S:C, I:L) enables host resource exhaustion (A:H) with no confidentiality impact.
Primary rating from Vendor (CNA).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Lifecycle Timeline
8Description PRE-NVD
AnalysisAI
Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires valid authenticated access to the OpenStack Identity/Nova API at a privilege level able to call the server-create (boot instance) endpoint and supply scheduler hint data (consistent with CVSS PR:L) - i.e., an ordinary tenant/project member, not necessarily an admin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user holding valid credentials for any project on the cloud calls the Nova server-create API with crafted scheduler hint data that is not stripped, causing Nova to boot the instance while skipping creation of its Placement allocation. The attacker repeats this to launch VMs that consume real CPU, memory, and disk invisibly to the scheduler's accounting, eventually exhausting a compute host and degrading or denying service to other tenants' workloads. … |
| Remediation | Upgrade Nova to a fixed release on your branch: Vendor-released patch 33.0.2 for the 33.x line, 32.2.1 for the 32.x line, and 31.3.1 for the 18.0.0-31.x range. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all OpenStack deployments, confirm Nova versions in use, and verify Placement service integration status. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37218