Skip to main content

Lacking sanitization of Nova scheduler hints (OSSA-2026-022 / CVE-2026-46448)

· 3 min read
Kurt Garloff
Kurt Garloff
CEO @ S7n Cloud Services, former CTO @ SCS

The vulnerability

When talking to the OpenStack Nova Compute API, Users can specify scheduler hints, expressing preferences for Server (VM) placement. Users can however inject a values {"_nova_check_type": "rebuild"} that is only meant to be used internally in the rebuild context which causes certain resource checks to be skipped. This can cause placement contraints such as host aggregates, AZs, image traits to be ignored and cause PCI pass-through resources to not be properly mapped. While the assigned quota is still observed, the vulnerability may cause exhaustion of resources and confusion of the scheduler (placement) state and thus may result in a Denial of Service for certain resource types.

This issue was reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences and was subsequently analyzed and handled by Goutham Pacha Ravi, Dan Smith and Sylvain Bauza. It was assigned CVE-2026-46448.

Impact on the SCS software ecosystem

Malevolent authenticated users could use this to schedule VMs on hosts that would normally not be accessible to their VMs (e.g. because they are in a host aggregate only available to GPU flavors which are manually enabled for selected customers only). This could result in resource exhaustion for legitimate users and cause the placement accounting to be confused.

This will mainly affect providers that exposed specialized features via special flavors (such as e.g. GPUs) which may be scarce. In particular, PCI devices may be assigned without proper accounting in the placement service.

Embargo

The issue was reported to the OpenStack Vulnerability Management Team. Following coordination with the reporters and upstream developers, the official OpenStack Security Advisory OSSA-2026-022 was published on Tuesday, 2026-06-16, 15:00 UTC.

Mitigation and Fixes

The fix consists in ensuring that internal _nova_ scheduler hints are properly filtered out in the API exposed to users.

Providers are advised to deploy fixed nova-api containers. The SCS ecosystem software providers will provide fixed nova images along with update instructions.

Operators where users may have caused confusion in the placement accounting will need to run

nova-manage placement heal_allocations

to ensure that accounting in the placement service is consistent again.

References

Thanks

The author would like to thank the reporters, the OpenStack vulnerability management team and the abovementioned maintainers for reporting, analyzing, fixing and handling the issue.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://sovereigncloudstack.org/.well-known/security.txt.

Version history

  • Initial draft, v0.5, 2026-06-16, 13:30 CEST
  • Initial publication, v1.0, 2026-06-16, 17:00 CEST
  • Link OSISM advisory, v1.1, 2026-06-16, 19:30 CEST
  • Link yaook advisory, v1.2, 2026-06-17, 13:30 CEST