CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25804

Antrea Integer Overflow: When 65536 Equals 0 (and Admin Rules Don't Matter)

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 6, 2026·6 min read·36 visits

Executive Summary (TL;DR)

Antrea used 16-bit integers to calculate OpenFlow priorities. If you create enough rules, the math overflows, turning a 'low priority' rule into a 'maximum priority' rule. This allows attackers to bypass security tiers (Tier Jumping) and override admin policies.

A critical integer overflow vulnerability in Antrea's priority assignment logic allows low-priority network policies to wrap around and supersede high-priority security rules. By flooding the system with policies, an attacker can manipulate OpenFlow priorities, effectively bypassing cluster-wide firewalls and segmentation rules via simple arithmetic underflow.

The Hook: 16 Bits Ought to Be Enough for Anyone

In the world of Kubernetes networking, we trust the CNI (Container Network Interface) to be the immutable arbiter of traffic. You define a NetworkPolicy that says "The database cannot talk to the public internet," and you assume the CNI enforces it. Antrea, a popular CNI based on Open vSwitch (OVS), implements this via a sophisticated Tier system. You have Emergency tiers, SecurityOps tiers, and lowly Application tiers. The hierarchy is absolute. Or so we thought.

CVE-2026-25804 is a reminder that at the end of the day, all your fancy cloud-native logic gets compiled down to basic arithmetic. And in Antrea's case, that arithmetic was confined to a uint16. This vulnerability isn't a complex memory corruption exploit or a race condition; it's a classic integer overflow. It allows a low-privileged user to turn the priority hierarchy upside down, effectively making their application rules more powerful than the cluster admin's emergency lockdowns. It's the digital equivalent of a toddler overuled the Supreme Court because they counted past 10.

The Flaw: The Odometer Effect

The root cause lies in how Antrea translates abstract Policy Tiers into concrete OpenFlow priorities. OpenFlow, the protocol used to program the OVS data plane, uses a 16-bit integer (0-65535) for rule priority. Higher numbers mean higher precedence. Antrea tries to map its logical tiers onto this 16-bit space by calculating 'offsets' from the top of the range.

The logic works like this: Final_Priority = Max_Priority - (Tier_Offset + Policy_Offset + Rule_Offset). Ideally, as you go down the tiers (from Emergency to Application), the offsets get larger, and the Final_Priority gets smaller. This ensures Application rules (low priority) yield to Emergency rules (high priority).

However, the developers performed the addition of these offsets using uint16 arithmetic. If the combined value of the offsets exceeds 65535, it silently wraps around (overflows). Suddenly, a massive offset—which should have resulted in a priority of near-zero—becomes a tiny offset. When you subtract a tiny offset from Max_Priority, you get a massive OpenFlow priority. The odometer rolled over, and the clunker became a Ferrari.

The Code: Smoking Gun

Let's look at the vulnerable code in pkg/agent/controller/networkpolicy/priority.go. It's a textbook example of implicit type casting gone wrong. The developers cast the components to uint16 before adding them, sealing the fate of the calculation.

Vulnerable Code (Before Fix):

// Everything is cast to uint16 immediately
tierOffset := tierOffsetBase * uint16(p.TierPriority)
priorityOffset := uint16(p.PolicyPriority * priorityOffsetBase)
 
// THE BUG: If these sum to > 65535, they wrap around
offSet := tierOffset + priorityOffset + uint16(p.RulePriority)
 
// The check passes because 'offSet' is now a small number due to overflow
if pa.policyTopPriority-pa.policyBottomPriority < offSet {
    return pa.policyBottomPriority
}
 
// Result: A huge priority number (TopPriority - small_number)
return pa.policyTopPriority - offSet

The Fix (Commit 39f21b3b): The patch is straightforward: promote everything to uint32 first, do the math, check for boundaries, and only then cast back to uint16 if it fits.

// Promoted to uint32 to prevent wrap-around
tierOffset := uint32(tierOffsetBase) * uint32(p.TierPriority)
priorityOffset := uint32(p.PolicyPriority * priorityOffsetBase)
offSet := tierOffset + priorityOffset + uint32(p.RulePriority)
 
// Check against the 32-bit calculated offset
availableRange := uint32(pa.policyTopPriority) - uint32(pa.policyBottomPriority)
if availableRange < offSet {
    return pa.policyBottomPriority
}
 
// Now safe to cast back
return pa.policyTopPriority - uint16(offSet)

The Exploit: Flooding the Zone

To exploit this, an attacker doesn't need root access to the node; they just need permission to create NetworkPolicy objects in a namespace (a standard permission for developers). The goal is to force the offSet calculation to hit the magic overflow window (e.g., 65536 or slightly higher).

Step 1: Setup The attacker deploys a malicious pod and creates a NetworkPolicy that allows all traffic (e.g., Allow 0.0.0.0/0). Normally, this would be a low-priority rule residing in the default Application Tier.

Step 2: The Flood The attacker programmatically creates hundreds of dummy NetworkPolicies. Each policy increments the PolicyPriority counter. Antrea's controller dutifully calculates the offset for each one.

Step 3: The Wrap Eventually, the internal calculation tierOffset + priorityOffset + rulePriority hits 65537. In uint16 land, this is 1. The controller calculates the final OpenFlow priority as Max_Priority - 1.

Step 4: Tier Jumping The OVS flow table is updated. The attacker's "Allow All" rule is now inserted at the very top of the table, physically above the admin's "Deny All" rules in the Emergency tier. Traffic that should be blocked is now flowing freely. The attacker has successfully escaped their security tier.

The Impact: Chaos in the Cluster

The impact of this vulnerability is high (CVSS 8.0) because it completely undermines the trust model of the network.

  1. Security Bypass: Critical segmentation rules (e.g., PCI-DSS boundaries) can be rendered useless without the admin knowing. The dashboard might still show the tiers correctly, but the data plane is doing something entirely different.
  2. Denial of Service (DoS): By manipulating priorities, an attacker could invert logic to drop legitimate traffic that should have been allowed.
  3. Persistence: Because this is a logic bug in the controller, the incorrect priorities persist until the policies are deleted or the controller is patched. It's a silent failure mode—unless you are actively auditing the raw OpenFlow tables (ovs-ofctl dump-flows), you won't see it.

Mitigation: Patch or Perish

There is no clever configuration workaround here. You cannot easily restrict the internal math of the controller via config files.

Immediate Action: Upgrade Antrea immediately.

  • If you are on 2.3.x, upgrade to 2.3.2.
  • If you are on 2.4.x, upgrade to 2.4.3.

Defense in Depth: While patching is the only fix, you should review your Kubernetes RBAC. Why does a single user have the quota to create 500+ NetworkPolicies? Implementing ResourceQuotas on NetworkPolicies per namespace can make exploitation significantly harder (though not impossible, if the attacker compromises multiple namespaces).

Official Patches

AntreaPull Request #7496: Fix arithmetic overflow in priority assignment

Fix Analysis (2)

Technical Appendix

CVSS Score
8.0/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U

Affected Systems

Antrea Kubernetes CNI

Affected Versions Detail

Product
Affected Versions
Fixed Version
Antrea
Antrea-io
< 2.3.22.3.2
Antrea
Antrea-io
2.4.0 - 2.4.22.4.3
AttributeDetail
CWE IDCWE-190 (Integer Overflow or Wraparound)
CVSS v4.08.0 (High)
Attack VectorNetwork
ImpactSecurity Bypass / Privilege Escalation
Affected ProtocolOpenFlow
LanguageGo

MITRE ATT&CK Mapping

T1562.001Impair Defenses: Disable or Modify System Firewall
Defense Evasion
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-190
Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Known Exploits & Detection

Unit Test PoCGolang unit test demonstrating the generation of 500 priorities to test overflow handling.

Vulnerability Timeline

Patch Developed & Merged
2025-10-14
Fixed Versions 2.3.2 and 2.4.3 Released
2025-10-14
CVE-2026-25804 Published
2026-02-06

References & Sources

  • [1]GHSA Advisory
  • [2]Patch Commit

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•26 minutes ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 1 hour ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 2 hours ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
3 views•6 min read
•about 19 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read