SovereignCloudStack · garloff · Jun 17, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
@@ -0,0 +1,88 @@
+---
+title: Lacking sanitization of Nova scheduler hints (OSSA-2026-022 / CVE-2026-46448)
+authors: [garloff]
+slug: nova_lacking_scheulder_hints_sanitization_ossa_2026_022
+tags: [security, openstack, nova, cve]
+---
+
+## The vulnerability
+
+When talking to the OpenStack Nova Compute API, Users can specify scheduler
+hints, expressing preferences for Server (VM) placement. Users can however
+inject a values `{"_nova_check_type": "rebuild"}` that is only meant to be used
+internally in the rebuild context which causes certain resource checks to be
+skipped. This can cause placement contraints such as host aggregates, AZs, image
+traits to be ignored and cause PCI pass-through resources to not be properly
+mapped. While the assigned quota is still observed, the vulnerability may cause
+exhaustion of resources and confusion of the scheduler (placement) state and
+thus may result in a Denial of Service for certain resource types.
+
+This issue was reported by Erichen, Institute of Computing Technology, Chinese
+Academy of Sciences and was subsequently analyzed and handled by Goutham Pacha Ravi,
+Dan Smith and Sylvain Bauza. It was assigned CVE-2026-46448.
+
+## Impact on the SCS software ecosystem
+
+Malevolent authenticated users could use this to schedule VMs on hosts that
+would normally not be accessible to their VMs (e.g. because they are in a
+host aggregate only available to GPU flavors which are manually enabled for
+selected customers only). This could result in resource exhaustion for
+legitimate users and cause the placement accounting to be confused.
+
+This will mainly affect providers that exposed specialized features via
+special flavors (such as e.g. GPUs) which may be scarce. In particular,
+PCI devices may be assigned without proper accounting in the placement
+service.
+
+## Embargo
+
+The issue was reported to the OpenStack Vulnerability Management Team.
+Following coordination with the reporters and upstream developers, the official
+OpenStack Security Advisory
+[OSSA-2026-022](https://security.openstack.org/ossa/OSSA-2026-022.html) was
+published on Tuesday, 2026-06-16, 15:00 UTC.
+
+## Mitigation and Fixes
+
+The fix consists in ensuring that internal `_nova_` scheduler hints are properly
+filtered out in the API exposed to users.
+
+Providers are advised to deploy fixed nova-api containers.
+The SCS ecosystem software providers will provide fixed nova images along with
+update instructions.
+
+- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022)
+- [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/)
+
+Operators where users may have caused confusion in the placement accounting
+will need to run
+
+```shell
+nova-manage placement heal_allocations
+```
+
+to ensure that accounting in the placement service is consistent again.
+
+## References
+
+- [OSSA-2026-022 Advisory](https://security.openstack.org/ossa/OSSA-2026-022.html)
+- [Launchpad Bug #2151252](https://bugs.launchpad.net/nova/+bug/2151252)
+
+## Thanks
+
+The author would like to thank the reporters, the OpenStack vulnerability
+management team and the abovementioned maintainers for reporting,
+analyzing, fixing and handling the issue.
+
+## Sovereign Cloud Stack Security Contact
+
+SCS security contact is
+[security@scs.community](mailto:security@scs.community), as published on
+[https://sovereigncloudstack.org/.well-known/security.txt](https://sovereigncloudstack.org/.well-known/security.txt).
+
+## Version history
+
+- Initial draft, v0.5, 2026-06-16, 13:30 CEST
+- Initial publication, v1.0, 2026-06-16, 17:00 CEST
+- Link OSISM advisory, v1.1, 2026-06-16, 19:30 CEST
+- Link yaook advisory, v1.2, 2026-06-17, 13:30 CEST