Security update for openvswitch SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20049-1 Final 1 1 2026-01-09T10:54:58Z current 2026-01-09T10:54:58Z 2026-01-09T10:54:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openvswitch This update for openvswitch fixes the following issues: Update OpenvSwitch to v3.1.7 and OVN to v23.03.3. Security issues fixed: - CVE-2023-3966: ovs: invalid memory access and potential denial of service via specially crafted Geneve packets (bsc#1219465). - CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted ICMPv6 Neighbor Advertisement packets sent between virtual machines t(bsc#1216002). - CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD packets from inside unprivileged workloads (bsc#1255435). - CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP packet (bsc#1236353). Other updates and bugfixes: - OpenvSwitch: * https://www.openvswitch.org/releases/NEWS-3.1.7.txt * v3.1.7 - Bug fixes - OVS validated with DPDK 22.11.7. * v3.1.6 - Bug fixes - OVS validated with DPDK 22.11.6. * v3.1.5 - Bug fixes - OVS validated with DPDK 22.11.5. * v3.1.4 - Bug fixes - OVS validated with DPDK 22.11.4. - OVN: * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS * v23.03.3 - Bug fixes - Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets. * v23.03.1 - Bug fixes - CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default. - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined. - Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network. - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-554 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/ Link for SUSE-SU-2026:20049-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023759.html E-Mail link for SUSE-SU-2026:20049-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216002 SUSE Bug 1216002 https://bugzilla.suse.com/1219465 SUSE Bug 1219465 https://bugzilla.suse.com/1236353 SUSE Bug 1236353 https://bugzilla.suse.com/1255435 SUSE Bug 1255435 https://www.suse.com/security/cve/CVE-2023-3966/ SUSE CVE CVE-2023-3966 page https://www.suse.com/security/cve/CVE-2023-5366/ SUSE CVE CVE-2023-5366 page https://www.suse.com/security/cve/CVE-2024-2182/ SUSE CVE CVE-2024-2182 page https://www.suse.com/security/cve/CVE-2025-0650/ SUSE CVE CVE-2025-0650 page SUSE Linux Micro 6.0 libopenvswitch-3_1-0-3.1.7-4.1 openvswitch-3.1.7-4.1 libopenvswitch-3_1-0-3.1.7-4.1 as a component of SUSE Linux Micro 6.0 openvswitch-3.1.7-4.1 as a component of SUSE Linux Micro 6.0 A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled. CVE-2023-3966 SUSE Linux Micro 6.0:libopenvswitch-3_1-0-3.1.7-4.1 SUSE Linux Micro 6.0:openvswitch-3.1.7-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/ https://www.suse.com/security/cve/CVE-2023-3966.html CVE-2023-3966 https://bugzilla.suse.com/1219465 SUSE Bug 1219465 A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. CVE-2023-5366 SUSE Linux Micro 6.0:libopenvswitch-3_1-0-3.1.7-4.1 SUSE Linux Micro 6.0:openvswitch-3.1.7-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/ https://www.suse.com/security/cve/CVE-2023-5366.html CVE-2023-5366 https://bugzilla.suse.com/1216002 SUSE Bug 1216002 A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service. CVE-2024-2182 SUSE Linux Micro 6.0:libopenvswitch-3_1-0-3.1.7-4.1 SUSE Linux Micro 6.0:openvswitch-3.1.7-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/ https://www.suse.com/security/cve/CVE-2024-2182.html CVE-2024-2182 https://bugzilla.suse.com/1255435 SUSE Bug 1255435 A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network. CVE-2025-0650 SUSE Linux Micro 6.0:libopenvswitch-3_1-0-3.1.7-4.1 SUSE Linux Micro 6.0:openvswitch-3.1.7-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/ https://www.suse.com/security/cve/CVE-2025-0650.html CVE-2025-0650 https://bugzilla.suse.com/1236353 SUSE Bug 1236353