Debian Openvswitch vulnerabilities

CVE-2026-34956 CVE-2026-34956: openvswitch bookworm: open bullseye: open forky: resolved (fixed in 3.7.1-1) sid: resolved (fixed in 3.7.1-1) trixie: open

CVE-2024-22563 [HIGH] CVE-2024-22563: openvswitch - openvswitch 2.17.8 was discovered to contain a memory leak via the function xmal... openvswitch 2.17.8 was discovered to contain a memory leak via the function xmalloc__ in openvswitch-2.17.8/lib/util.c. Scope: local bookworm: resolved (fixed in 2.17.2-4) bullseye: resolved (fixed in 2.15.0+ds1-2+deb11u5) forky: resolved (fixed in 2.17.2-4) sid: resolved (fixed in 2.17.2-4) trixie: resolved (fixed in 2.17.2-4)

CVE-2023-5366 [HIGH] CVE-2023-5366: openvswitch - A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packe... A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. Scope: local bookworm: resolved (fixed in 3.1.0

CVE-2023-3966 [HIGH] CVE-2023-3966: openvswitch - A flaw was found in Open vSwitch where multiple versions are vulnerable to craft... A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled. Scope: local bookworm: resolved (fixed in 3.1.0-2+deb12u1) bullseye: resolved (fixed in 2.15.0+ds1-2+deb11u5)

CVE-2023-1668 [HIGH] CVE-2023-1668: openvswitch - A flaw was found in openvswitch (OVS). When processing an IP packet with protoco... A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing

CVE-2022-4338 [CRITICAL] CVE-2022-4338: openvswitch - An integer underflow in Organization Specific TLV was found in various versions ... An integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch. Scope: local bookworm: resolved (fixed in 3.1.0~git20221212.739bcf2-4) bullseye: resolved (fixed in 2.15.0+ds1-2+deb11u2) forky: resolved (fixed in 3.1.0~git20221212.739bcf2-4) sid: resolved (fixed in 3.1.0~git20221212.739bcf2-4) trixie: resolved (fixed in 3.1.0~git

CVE-2022-4337 [CRITICAL] CVE-2022-4337: openvswitch - An out-of-bounds read in Organization Specific TLV was found in various versions... An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch. Scope: local bookworm: resolved (fixed in 3.1.0~git20221212.739bcf2-4) bullseye: resolved (fixed in 2.15.0+ds1-2+deb11u2) forky: resolved (fixed in 3.1.0~git20221212.739bcf2-4) sid: resolved (fixed in 3.1.0~git20221212.739bcf2-4) trixie: resolved (fixed in 3.1.0~gi

CVE-2022-32166 [MEDIUM] CVE-2022-32166: openvswitch - In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read i... In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution. Scope: local bookworm: resolved (fixed in 2.13.0+dfsg1-1) bullseye:

CVE-2021-36980 [MEDIUM] CVE-2021-36980: openvswitch - Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in dec... Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Scope: local bookworm: resolved (fixed in 2.15.0+ds1-10) bullseye: resolved (fixed in 2.15.0+ds1-2+deb11u1) forky: resolved (fixed in 2.15.0+ds1-10) sid: resolved (fixed in

CVE-2021-3905 [HIGH] CVE-2021-3905: openvswitch - A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation ... A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-35498 [HIGH] CVE-2020-35498: openvswitch - A vulnerability was found in openvswitch. A limitation in the implementation of ... A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Scope: local bookworm: re

CVE-2020-27827 [HIGH] CVE-2020-27827: lldpd - A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP pac... A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Scope: local bookworm: resolved (fixed in 1.0.8-1) bullseye: resolved (fixed in 1.0.8-1) fo

CVE-2019-25076 [MEDIUM] CVE-2019-25076: openvswitch - The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.... The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.0.0 allows remote attackers to cause a denial of service (delays of legitimate traffic) via crafted packet data that requires excessive evaluation time within the packet classification algorithm for the MegaFlow cache, aka a Tuple Space Explosion (TSE) attack. Scope: local bookworm

CVE-2018-17205 [HIGH] CVE-2018-17205: openvswitch - An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofp... An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were succ

CVE-2018-17204 [MEDIUM] CVE-2018-17204: openvswitch - An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting par... An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. This causes an

CVE-2018-17206 [MEDIUM] CVE-2018-17206: openvswitch - An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bu... An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding. Scope: local bookworm: resolved (fixed in 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1) bullseye: resolved (fixed in 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1) forky: resolved (fixe

CVE-2017-9214 [CRITICAL] CVE-2017-9214: openvswitch - In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_REPLY type O... In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer over-read that is caused by an unsigned integer underflow in the function `ofputil_pull_queue_get_config_reply10` in `lib/ofp-util.c`. Scope: local bookworm: resolved (fixed in 2.8.1+dfsg1-2) bullseye: resolved (fixed in 2.8.1+dfsg1-2) forky: resol

CVE-2017-9263 [MEDIUM] CVE-2017-9263: openvswitch - In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, ther... In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch. Scope: local bookworm: resolved (fixed in 2.8.1+dfsg1-2) bullseye: resolv

CVE-2017-9265 [CRITICAL] CVE-2017-9265: openvswitch - In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing the grou... In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing the group mod OpenFlow message sent from the controller in `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`. Scope: local bookworm: resolved (fixed in 2.8.1+dfsg1-2) bullseye: resolved (fixed in 2.8.1+dfsg1-2) forky: resolved (fixed in 2.8.1+dfsg1-2) sid: resolved (fixed in

CVE-2017-14970 [MEDIUM] CVE-2017-14970: openvswitch - In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory ... In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. NOTE: the vendor disputes the relevance of this report, stating "it can only be triggered by an OpenFlow controller, but OpenFlow controllers have much more direct and powerful ways to force Open vSwitch to allocate memory,