Compliance Impact

The vulnerability allows authenticated users to bypass Placement resource claims and scheduling constraints, leading to instances that consume physical resources without proper accounting and leaving no trace in Placement allocations.

This can result in resource exhaustion and potential cross-tenant data persistence on NVMe devices after instance deletion.

Such issues could impact compliance with standards and regulations like GDPR and HIPAA by risking unauthorized data persistence and lack of proper resource and data management controls.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-46448 is a vulnerability in OpenStack Nova where the server create API does not properly strip certain internal scheduler hint data, specifically the sentinel value `_nova_check_type`, from user input.

This allows an authenticated attacker to inject this sentinel value into the `os:scheduler_hints` property during instance creation, causing the scheduler to treat the request as a rebuild operation and skip Placement resource claims.

As a result, instances can be created without proper Placement allocations, enabling attackers to bypass resource constraints and quotas.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several serious impacts:

• Bypassing Placement API resource constraints and scheduling restrictions such as availability zone, host aggregate, and image trait constraints.
• Provisioning of unlimited "ghost" instances that consume physical resources without proper accounting.
• Denial-of-service (DoS) conditions and potential host crashes due to resource exhaustion.
• Quota bypass and resource starvation, especially affecting expensive hardware like SR-IOV GPUs or NVMe disks.
• Potential cross-tenant data persistence on NVMe devices after instance deletion.
• Billing inconsistencies due to untracked resource consumption.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying instances created with the `_nova_check_type` sentinel value in the `os:scheduler_hints` property, which bypass Placement API resource constraints.

Since the vulnerability results in instances without Placement allocations, one approach is to query the Placement database or Nova scheduler logs for instances lacking proper Placement resource claims.

Commands to detect suspicious instances might include querying Nova or Placement APIs for instances missing expected resource allocations or checking scheduler hints for the presence of `_nova_check_type`.

• Use OpenStack CLI to list instances and check their scheduler hints: `openstack server show <instance_id>` and inspect the `os:scheduler_hints` field.
• Query the Placement API to verify resource allocations for instances: `openstack resource provider allocation list <resource_provider_id>`.
• Review Nova scheduler logs for entries containing `_nova_check_type` to identify attempts to bypass Placement constraints.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying patches provided for OpenStack Nova versions affected by this vulnerability.

The fix strips or rejects the `_nova_check_type` sentinel value at the API layer before it reaches the scheduler, preventing bypass of Placement resource claims.

If patching is not immediately possible, restrict authenticated user permissions to limit who can create instances or use scheduler hints.

Monitor and audit instance creation requests for suspicious scheduler hints and enforce input validation on the API side.

Useful 0 Not Useful 0