MEDIUMCVE-2026-44919CVSS 4.3

CVE-2026-44919: Infinite Loop in OpenStack Ironic

Platform

linux

Component

ironic

Fixed in

a3f6d735ac3642ab95b49142c7305f072ae748d0

View on NVD

Save

CVE-2026-44919 describes an infinite loop vulnerability discovered in OpenStack Ironic. This flaw arises during image handling when processing a specially crafted file:///dev/zero URL, leading to a denial-of-service (DoS) condition. The vulnerability affects versions prior to a3f6d735ac3642ab95b49142c7305f072ae748d0, and a fix is available in version a3f6d735ac3642ab95b49142c7305f072ae748d0.

Impact and Attack Scenarios

An attacker could exploit this vulnerability by sending a crafted file:///dev/zero URL to an OpenStack Ironic instance. This triggers an infinite loop in the checksum calculation process, consuming excessive CPU resources and potentially crashing the Ironic service. The impact is primarily a denial of service, preventing legitimate users from provisioning or managing virtual machines. While data exfiltration is not directly possible through this vulnerability, the DoS condition can disrupt critical infrastructure and impact availability. The blast radius extends to any service dependent on Ironic for instance provisioning.

Exploitation Context

CVE-2026-44919 was published on 2026-05-14. Its severity is currently assessed as MEDIUM. No public proof-of-concept (POC) code is currently available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS, suggesting a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentironic

VendorOpenStack

Minimum version0.0.0

Maximum versiona3f6d735ac3642ab95b49142c7305f072ae748d0

Fixed ina3f6d735ac3642ab95b49142c7305f072ae748d0

Weakness Classification (CWE)

CWE-696

Timeline

Reserved2026-05-08
Published2026-05-14

Mitigation and Workarounds

The primary mitigation for CVE-2026-44919 is to upgrade OpenStack Ironic to version a3f6d735ac3642ab95b49142c7305f072ae748d0 or later. If immediate upgrading is not feasible, consider implementing input validation on the image URLs processed by Ironic to prevent the use of file:///dev/zero. Network segmentation can also limit the potential attack surface. Monitor Ironic service resource utilization (CPU, memory) for unusual spikes that could indicate exploitation. After upgrading, confirm the fix by attempting to process a file:///dev/zero URL and verifying that the checksum calculation completes without entering an infinite loop.

How to fix

Actualice OpenStack Ironic a la versión a3f6d735ac3642ab95b49142c7305f072ae748d0 o superior para evitar el bucle infinito en los cálculos de checksums al manejar imágenes a través de la URL file:///dev/zero.  Revise las notas de la versión para obtener instrucciones de actualización específicas.  Asegúrese de probar la actualización en un entorno de prueba antes de aplicarla a producción.

Frequently asked questions

What is CVE-2026-44919 — Infinite Loop in OpenStack Ironic?

CVE-2026-44919 is a MEDIUM severity vulnerability in OpenStack Ironic where a file:///dev/zero URL can trigger an infinite loop during image handling, leading to a denial-of-service. It affects versions before a3f6d735ac3642ab95b49142c7305f072ae748d0.

Am I affected by CVE-2026-44919 in OpenStack Ironic?

You are affected if you are running OpenStack Ironic versions 0.0.0–a3f6d735ac3642ab95b49142c7305f072ae748d0. Check your version and upgrade if necessary.

How do I fix CVE-2026-44919 in OpenStack Ironic?

Upgrade OpenStack Ironic to version a3f6d735ac3642ab95b49142c7305f072ae748d0 or later. As a temporary workaround, implement input validation on image URLs.

Is CVE-2026-44919 being actively exploited?

Currently, there are no public reports of active exploitation or proof-of-concept code available. However, it's crucial to apply the patch promptly.

Where can I find the official OpenStack advisory for CVE-2026-44919?

Refer to the OpenStack security announcements page for the latest information: https://lists.openstack.org/pipermail/announce/2026-May/000000.html

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files