Your message dated Mon, 22 Jun 2026 08:23:37 +0000
with message-id <[email protected]>
and subject line Bug#1140149: fixed in nova 2:33.0.1-4
has caused the Debian Bug report #1140149,
regarding CVE-2026-46448 / OSSN-2026-022: Authenticated placement bypass in
Nova via malicious os:scheduler_hints
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nova
Version: 2:31.0.0-6+deb13u2
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
### Summary
An authenticated attacker can bypass Placement API resource constraints by
injecting the `_nova_check_type` sentinel value into the computing allocation
flow via the `os:scheduler_hints` property. This tricks the scheduler into
evaluating the creation context as a `rebuild` rather than a standard create,
skipping Placement resource claims entirely. It inherently allows uncontrolled
ghost instance provisioning, denying resources to legitimate users and crashing
compute hosts due to physical exhaustion.
### Details
The OpenStack Nova Scheduler component (nova/scheduler/utils.py) utilizes the
function `request_is_rebuild(spec_obj)` whose primary purpose is to determine
whether a pending scheduling request correctly corresponds to an instance
rebuild. During a legitimate rebuild operation, an instance remains on its
original host, and therefore Nova does not need to allocate fresh placement
metrics for it.
However, the architecture flaw arises due to a lack of strict parameter
isolation at the external API boundary:
1. The JSON schema for the `/servers` create API
(nova/api/openstack/compute/schemas/servers.py) explicitly specifies
`additionalProperties: True` for the `os:scheduler_hints` block, failing to
filter internal-only sentinel values prefixed with `_nova_`.
2. The user-provided `scheduler_hints` is directly assigned in
nova/api/openstack/compute/servers.py without stripping internal protected
variables before passing the request down to the RPC worker.
3. The type coercion performed by OpenStack (`DictOfListOfStringsField` in
nova/objects/request_spec.py) transforms the scalar string `"rebuild"` to a
list `['rebuild']`, making it exactly match the scheduler's explicit check
returning `check_type == ['rebuild']` inside nova/scheduler/utils.py.
As a result, an attacker uploading `{"_nova_check_type": "rebuild"}` tricks
the resource claiming routine into early returning `True` (bypassing the
Placement capacity assignment).
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:33.0.1-4
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Jun 2026 09:59:57 +0200
Source: nova
Architecture: source
Version: 2:33.0.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1140149
Changes:
nova (2:33.0.1-4) unstable; urgency=medium
.
* CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses
Placement resource claims and scheduling constraints. Applied upstream
patch: "Strip internal _nova-prefixed scheduler hints on create"
(Closes: #1140149).
Checksums-Sha1:
c35c0254ea3cb009c44ab1bddfe321cdda36b4a9 4706 nova_33.0.1-4.dsc
2efa653d46dec20d9281d10ccac67293e9ecd314 71404 nova_33.0.1-4.debian.tar.xz
7f9b28da234f0b4d19df07309cb73cc8f4bb89e5 25786 nova_33.0.1-4_amd64.buildinfo
Checksums-Sha256:
80deb41fa6e53e42ee113f5a417c7056272a6bef157e2eaaff5714aa145262b6 4706
nova_33.0.1-4.dsc
60fd64df9d413843614ab55a57d972d37918dd06354c558fd473950b17febf53 71404
nova_33.0.1-4.debian.tar.xz
2639480c3dda4ac488e9107de054133dddc90b0f8e549b4ffd82d5447d2e0969 25786
nova_33.0.1-4_amd64.buildinfo
Files:
2290f36b50b8f3dc7966fd4a98e4d7a0 4706 net optional nova_33.0.1-4.dsc
2b1eca62b28eadc749c553adb0e16f86 71404 net optional nova_33.0.1-4.debian.tar.xz
6d1c5a8b3c25364ec933a4a5d208c8d9 25786 net optional
nova_33.0.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo47DMACgkQ1BatFaxr
Q/66jA/+OlPz+f6g+lj3+42mNlcZoGbspYyZL4J0rMk7Jor3Blq4yLBx+URaAS1j
HCarxkZdrmRl3hF8Me839UVv+RDtobS7lf6dRFubDLMnBNrheHjhlDEdDaP2ZkMC
crm8plBmwDRrqdwHGgyojdSEPCvNq8GXrroW81vj5TUDl70Up/YG9cWgT5J3f1UP
r3lExG2CHuRbdMoAAclz0t/pXddMFdX/ptpy3pwvrfcsddJD8ugbvS/ZtcXeFIU7
cfIEKxWmU91PK1dCCmhLMQ+0XFOMsb5Wu2SnvzIDyGIh8gFqrPahnM2yPniD7Mmn
ezVXOLadph2unA+5ACqAlzj75iyz9P994BmdD5LPtbFbFsR6N4RB5Pa/0ym6yS8Z
R6EBXPeFMTEriUBpGmdoVmqDDhQdgrSrpodZj+ZRTMCwCwQYhQ6ynAi/NMFY3OKy
aDMWzaMFSzxVnFCVF2eylAOanKN7e2nPmky8k+1sqX+mYV6l+/Op6BG67znXn1SG
Ijv2j5zZyWk74oepjGj7sRHFAJquRGW8T2nMtBNn9trD9HPkyBbf8yByyw7awKAl
fMGVjaMVcUnz6oynz5qU69Re9qJzi1i54ksve4pEpkIff89rOb5mQrHafXNeWZcw
CXOGARM7ES3yQGtH1ZHM+x3TEVGj7ap7Lx7UCBE9ChlSsSl/Z9M=
=tVuN
-----END PGP SIGNATURE-----
pgpKwISyRoYjh.pgp
Description: PGP signature
--- End Message ---
