CVE-2026-46448
Analyzed Analyzed - Analysis Complete

OpenStack Nova Server Create API Missing Placement Allocation

Vulnerability report for CVE-2026-46448, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-26

Assigner: MITRE

Description

In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-26
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openstack nova From 18.0.0 (inc) to 31.3.1 (exc)
openstack nova From 32.0.0 (inc) to 32.2.1 (exc)
openstack nova From 33.0.0 (inc) to 33.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46448 is a vulnerability in OpenStack Nova where the server create API does not properly strip certain internal scheduler hint data, specifically the sentinel value `_nova_check_type`, from user input.

This allows an authenticated attacker to inject this sentinel value into the `os:scheduler_hints` property during instance creation, causing the scheduler to treat the request as a rebuild operation and skip Placement resource claims.

As a result, instances can be created without proper Placement allocations, enabling attackers to bypass resource constraints and quotas.

Impact Analysis

This vulnerability can lead to several serious impacts:

  • Bypassing Placement API resource constraints and scheduling restrictions such as availability zone, host aggregate, and image trait constraints.
  • Provisioning of unlimited "ghost" instances that consume physical resources without proper accounting.
  • Denial-of-service (DoS) conditions and potential host crashes due to resource exhaustion.
  • Quota bypass and resource starvation, especially affecting expensive hardware like SR-IOV GPUs or NVMe disks.
  • Potential cross-tenant data persistence on NVMe devices after instance deletion.
  • Billing inconsistencies due to untracked resource consumption.
Detection Guidance

Detection of this vulnerability involves identifying instances created with the `_nova_check_type` sentinel value in the `os:scheduler_hints` property, which bypass Placement API resource constraints.

Since the vulnerability results in instances without Placement allocations, one approach is to query the Placement database or Nova scheduler logs for instances lacking proper Placement resource claims.

Commands to detect suspicious instances might include querying Nova or Placement APIs for instances missing expected resource allocations or checking scheduler hints for the presence of `_nova_check_type`.

  • Use OpenStack CLI to list instances and check their scheduler hints: `openstack server show <instance_id>` and inspect the `os:scheduler_hints` field.
  • Query the Placement API to verify resource allocations for instances: `openstack resource provider allocation list <resource_provider_id>`.
  • Review Nova scheduler logs for entries containing `_nova_check_type` to identify attempts to bypass Placement constraints.
Mitigation Strategies

Immediate mitigation involves applying patches provided for OpenStack Nova versions affected by this vulnerability.

The fix strips or rejects the `_nova_check_type` sentinel value at the API layer before it reaches the scheduler, preventing bypass of Placement resource claims.

If patching is not immediately possible, restrict authenticated user permissions to limit who can create instances or use scheduler hints.

Monitor and audit instance creation requests for suspicious scheduler hints and enforce input validation on the API side.

Compliance Impact

The vulnerability allows authenticated users to bypass Placement resource claims and scheduling constraints, leading to instances that consume physical resources without proper accounting and leaving no trace in Placement allocations.

This can result in resource exhaustion and potential cross-tenant data persistence on NVMe devices after instance deletion.

Such issues could impact compliance with standards and regulations like GDPR and HIPAA by risking unauthorized data persistence and lack of proper resource and data management controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart