CVE-2026-44919

NameCVE-2026-44919
DescriptionIn OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6341-1
Debian Bugs1136655

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ironic (PTS)bullseye1:16.0.3-1vulnerable
bookworm1:21.1.0-3vulnerable
bookworm (security)1:21.4.4-0+deb12u1fixed
trixie1:29.0.0-7vulnerable
trixie (security)1:29.0.5-0+deb13u2fixed
forky, sid1:35.0.1-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ironicsourcebookworm1:21.4.4-0+deb12u1DSA-6341-1
ironicsourcetrixie1:29.0.5-0+deb13u2DSA-6341-1
ironicsource(unstable)1:35.0.1-31136655

Notes

[bullseye] - ironic <no-dsa> (Minor issue)
https://bugs.launchpad.net/ironic/+bug/2150332
https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0
Search for package or bug name: Reporting problems