DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25804: Antrea Integer Overflow: When 65536 Equals 0 (and Admin Rules Don't Matter)

#security #cve #cybersecurity

Antrea Integer Overflow: When 65536 Equals 0 (and Admin Rules Don't Matter)

Vulnerability ID: CVE-2026-25804
CVSS Score: 8.0
Published: 2026-02-06

A critical integer overflow vulnerability in Antrea's priority assignment logic allows low-priority network policies to wrap around and supersede high-priority security rules. By flooding the system with policies, an attacker can manipulate OpenFlow priorities, effectively bypassing cluster-wide firewalls and segmentation rules via simple arithmetic underflow.

TL;DR

Antrea used 16-bit integers to calculate OpenFlow priorities. If you create enough rules, the math overflows, turning a 'low priority' rule into a 'maximum priority' rule. This allows attackers to bypass security tiers (Tier Jumping) and override admin policies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-190 (Integer Overflow or Wraparound)
  • CVSS v4.0: 8.0 (High)
  • Attack Vector: Network
  • Impact: Security Bypass / Privilege Escalation
  • Affected Protocol: OpenFlow
  • Language: Go

Affected Systems

  • Antrea Kubernetes CNI
  • Antrea: < 2.3.2 (Fixed in: 2.3.2)
  • Antrea: 2.4.0 - 2.4.2 (Fixed in: 2.4.3)

Code Analysis

Commit: 86c4b60

Fix arithmetic overflow in priority assignment (Main Branch)

tierOffset := uint32(tierOffsetBase) * uint32(p.TierPriority)
Enter fullscreen mode Exit fullscreen mode

Commit: 39f21b3

Backport of overflow fix to release-2.4

tierOffset := uint32(tierOffsetBase) * uint32(p.TierPriority)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Unit Test PoC: Golang unit test demonstrating the generation of 500 priorities to test overflow handling.

Mitigation Strategies

  • Upgrade Antrea Controller and Agents immediately
  • Implement ResourceQuotas to limit NetworkPolicy creation count
  • Audit raw OVS flow tables for priority anomalies

Remediation Steps:

  1. Identify current Antrea version: kubectl get pods -n kube-system -l app=antrea -o jsonpath='{.items[0].spec.containers[0].image}'
  2. If version is < 2.3.2 or between 2.4.0 and 2.4.3, schedule maintenance.
  3. Apply the upgrade manifest provided by the vendor.
  4. Restart all Antrea controller and agent pods.
  5. Verify the fix by checking that antrea-controller logs no longer show priority calculation errors.

References

Read the full report for CVE-2026-25804 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)