CVE-2026-25804
Unknown Unknown - Not Provided
Integer Overflow in Antrea Network Policy Causes Traffic Enforcement Errors

Publication date: 2026-02-06

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25804
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation antrea to 2.3.2 (exc)
linuxfoundation antrea From 2.4.0 (inc) to 2.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Antrea, a Kubernetes networking solution. Before versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system had a uint16 arithmetic overflow bug. This bug caused incorrect calculations of OpenFlow priorities when managing a large number of policies with different priority values.

As a result, the system could enforce network traffic policies incorrectly, potentially allowing or blocking traffic in unintended ways. The issue was fixed in version 2.4.3.

Impact Analysis

The vulnerability can lead to incorrect enforcement of network traffic policies in Kubernetes environments using Antrea. This means that network traffic might be allowed or denied incorrectly, potentially exposing sensitive services or blocking legitimate traffic.

Such misconfigurations can result in security risks, including unauthorized access or denial of service, depending on how the network policies are intended to function.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Antrea to version 2.4.3 or later, where the uint16 arithmetic overflow bug in the network policy priority assignment system has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart