From 7991d15564a6ae5552c4ca689959a0bf2ff45d1b Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Tue, 16 Jun 2026 17:01:28 +0200
Subject: [PATCH 1/7] Advisory for CVE-2026-46448 / OSSA-2026-022.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-nova.md | 86 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 blog/2026-06-16-nova.md

diff --git a/blog/2026-06-16-nova.md b/blog/2026-06-16-nova.md
new file mode 100644
index 0000000000..f3fdc4d594
--- /dev/null
+++ b/blog/2026-06-16-nova.md
@@ -0,0 +1,86 @@
+---
+title: Lacking sanitization of Nova scheduler hints (OSSA-2026-022 / CVE-2026-46448)
+authors: [garloff]
+slug: nova_lacking_scheulder_hints_sanitization_ossa_2026_022
+tags: [security, openstack, nova, cve]
+---
+
+## The vulnerability
+
+When talking to the OpenStack Nova Compute API, Users can specify scheduler
+hints, expressing preferences for Server (VM) placement. Users can however
+inject a values `{"_nova_check_type": "rebuild"}` that is only meant to be used
+internally in the rebuild context which causes certain resource checks to be
+skipped. This can cause placement contraints such as host aggregates, AZs, image
+traits to be ignored and cause PCI pass-through resources to not be properly
+mapped. While the assigned quota is still observed, the vulnerability may cause
+exhaustion of resources and confusion of the scheduler (placement) state and
+thus may result in a Denial of Service for certain resource types.
+
+This issue was reported by Erichen, Institute of Computing Technology, Chinese
+Academy of Sciences and was subsequently analyzed and handled by Goutham Pacha Ravi,
+Dan Smith and Sylvain Bauza. It was assigned CVE-2026-46448.
+
+## Impact on the SCS software ecosystem
+
+Malevolent authenticated users could use this to schedule VMs on hosts that
+would normally not be accessible to their VMs (e.g. because they are in a
+host aggregate only available to GPU flavors which are manually enabled for
+selected customers only). This could result in resource exhaustion for
+legitimate users and cause the placement accounting to be confused.
+
+This will mainly affect providers that exposed specialized features via
+special flavors (such as e.g. GPUs) which may be scarce. In particular,
+PCI devices may be assigned without proper accounting in the placement
+service.
+
+## Embargo
+
+The issue was reported to the OpenStack Vulnerability Management Team.
+Following coordination with the reporters and upstream developers, the official
+OpenStack Security Advisory
+[OSSA-2026-022](https://security.openstack.org/ossa/OSSA-2026-022.html) was
+published on Tuesday, 2026-06-16, 15:00 UTC.
+
+## Mitigation and Fixes
+
+The fix consists in ensuring that internal `_nova_` scheduler hints are properly
+filtered out in the API exposed to users.
+
+Providers are advised to deploy fixed nova-api containers.
+The SCS ecosystem software providers will provide fixed nova images along with
+update instructions:
+
+- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022) <!--FIXME-->
+- [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/) <!--FIXME-->
+
+Operators where users may have caused confusion in the placement accounting
+will need to run
+
+```shell
+nova-manage placement heal_allocations
+```
+
+to ensure that accounting in the placement service is consistent again.
+
+## References
+
+- [OSSA-2026-022 Advisory](https://security.openstack.org/ossa/OSSA-2026-022.html)
+- [Launchpad Bug #2151252](https://bugs.launchpad.net/nova/+bug/2151252)
+
+## Thanks
+
+The author would like to thank the reporters, the OpenStack vulnerability
+management team and the abovementioned maintainers for reporting,
+analyzing, fixing and handling the issue.
+
+## Sovereign Cloud Stack Security Contact
+
+SCS security contact is
+[security@scs.community](mailto:security@scs.community), as published on
+[https://sovereigncloudstack.org/.well-known/security.txt](https://sovereigncloudstack.org/.well-known/security.txt).
+
+## Version history
+
+- Initial draft, v0.5, 2026-06-16, 13:30 CEST
+- Initial publication, v1.0, 2026-06-16, 17:00 CEST

From 2170dd557b9fb0a0d889dbffe14e4b67e054933f Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Tue, 16 Jun 2026 17:05:41 +0200
Subject: [PATCH 2/7] Change filename.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/{2026-06-16-nova.md => 2026-06-16-cve-2026-46448.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename blog/{2026-06-16-nova.md => 2026-06-16-cve-2026-46448.md} (100%)

diff --git a/blog/2026-06-16-nova.md b/blog/2026-06-16-cve-2026-46448.md
similarity index 100%
rename from blog/2026-06-16-nova.md
rename to blog/2026-06-16-cve-2026-46448.md

From 0f4c82bb98516803a170a6275536371d57839f33 Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Tue, 16 Jun 2026 17:14:44 +0200
Subject: [PATCH 3/7] Comment out links that are not yet working.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-cve-2026-46448.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
index f3fdc4d594..a35caf79c5 100644
--- a/blog/2026-06-16-cve-2026-46448.md
+++ b/blog/2026-06-16-cve-2026-46448.md
@@ -49,10 +49,12 @@ filtered out in the API exposed to users.
 
 Providers are advised to deploy fixed nova-api containers.
 The SCS ecosystem software providers will provide fixed nova images along with
-update instructions:
+update instructions.
 
-- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022) <!--FIXME-->
-- [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/) <!--FIXME-->
+<!-- TODO: LINKS
+- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022)
+- [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/)
+-->
 
 Operators where users may have caused confusion in the placement accounting
 will need to run

From 386b9c28387e9588520820e9df1ca78a369642e0 Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Tue, 16 Jun 2026 19:42:28 +0200
Subject: [PATCH 4/7] Add link to OSISM advisory

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-cve-2026-46448.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
index a35caf79c5..a4233ad7ad 100644
--- a/blog/2026-06-16-cve-2026-46448.md
+++ b/blog/2026-06-16-cve-2026-46448.md
@@ -51,10 +51,10 @@ Providers are advised to deploy fixed nova-api containers.
 The SCS ecosystem software providers will provide fixed nova images along with
 update instructions.
 
-<!-- TODO: LINKS
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022)
+<!-- TODO: LINKS
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/)
--->
+  -->
 
 Operators where users may have caused confusion in the placement accounting
 will need to run
@@ -86,3 +86,4 @@ SCS security contact is
 
 - Initial draft, v0.5, 2026-06-16, 13:30 CEST
 - Initial publication, v1.0, 2026-06-16, 17:00 CEST
+- Link OSISM advisory, v1.1, 2026-06-16, 19:30 CEST

From e1874559aa2e47d389f82e177fb473c0d3e9c60f Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Tue, 16 Jun 2026 23:53:44 +0200
Subject: [PATCH 5/7] Empty line before comment.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-cve-2026-46448.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
index a4233ad7ad..6f5ff84be9 100644
--- a/blog/2026-06-16-cve-2026-46448.md
+++ b/blog/2026-06-16-cve-2026-46448.md
@@ -52,6 +52,7 @@ The SCS ecosystem software providers will provide fixed nova images along with
 update instructions.
 
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022)
+
 <!-- TODO: LINKS
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/)
   -->

From 77c3cc3a91286920e3a1a4e3903661bedf82b023 Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Wed, 17 Jun 2026 12:26:40 +0000
Subject: [PATCH 6/7] Link to yaook advisory enabled.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-cve-2026-46448.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
index 6f5ff84be9..c89029ec52 100644
--- a/blog/2026-06-16-cve-2026-46448.md
+++ b/blog/2026-06-16-cve-2026-46448.md
@@ -52,10 +52,7 @@ The SCS ecosystem software providers will provide fixed nova images along with
 update instructions.
 
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-022)
-
-<!-- TODO: LINKS
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-46448/)
-  -->
 
 Operators where users may have caused confusion in the placement accounting
 will need to run

From ebcda2f2ef53149100cc736b081b87d7b216208e Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Wed, 17 Jun 2026 12:29:27 +0000
Subject: [PATCH 7/7] Changelog

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-06-16-cve-2026-46448.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/blog/2026-06-16-cve-2026-46448.md b/blog/2026-06-16-cve-2026-46448.md
index c89029ec52..85fd4b92a1 100644
--- a/blog/2026-06-16-cve-2026-46448.md
+++ b/blog/2026-06-16-cve-2026-46448.md
@@ -85,3 +85,4 @@ SCS security contact is
 - Initial draft, v0.5, 2026-06-16, 13:30 CEST
 - Initial publication, v1.0, 2026-06-16, 17:00 CEST
 - Link OSISM advisory, v1.1, 2026-06-16, 19:30 CEST
+- Link yaook advisory, v1.2, 2026-06-17, 13:30 CEST