### Summary
An authenticated attacker can bypass Placement API resource constraints by
injecting the `_nova_check_type` sentinel value into the computing allocation
flow via the `os:scheduler_hints` property. This tricks the scheduler into
evaluating the creation context as a `rebuild` rather than a standard create,
skipping Placement resource claims entirely. It inherently allows uncontrolled
ghost instance provisioning, denying resources to legitimate users and crashing
compute hosts due to physical exhaustion.
### Details
The OpenStack Nova Scheduler component (nova/scheduler/utils.py) utilizes the
function `request_is_rebuild(spec_obj)` whose primary purpose is to determine
whether a pending scheduling request correctly corresponds to an instance
rebuild. During a legitimate rebuild operation, an instance remains on its
original host, and therefore Nova does not need to allocate fresh placement
metrics for it.
However, the architecture flaw arises due to a lack of strict parameter
isolation at the external API boundary:
1. The JSON schema for the `/servers` create API
(nova/api/openstack/compute/schemas/servers.py) explicitly specifies
`additionalProperties: True` for the `os:scheduler_hints` block, failing to
filter internal-only sentinel values prefixed with `_nova_`.
2. The user-provided `scheduler_hints` is directly assigned in
nova/api/openstack/compute/servers.py without stripping internal protected
variables before passing the request down to the RPC worker.
3. The type coercion performed by OpenStack (`DictOfListOfStringsField` in
nova/objects/request_spec.py) transforms the scalar string `"rebuild"` to a
list `['rebuild']`, making it exactly match the scheduler's explicit check
returning `check_type == ['rebuild']` inside nova/scheduler/utils.py.
As a result, an attacker uploading `{"_nova_check_type": "rebuild"}` tricks
the resource claiming routine into early returning `True` (bypassing the
Placement capacity assignment).
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/5292e01d7592fdd3e7bab413ed4b8b3300bb3bfa ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/f891ca914b9d744c62b6c0fd402fd17635ec8c3c ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/f54c152b61d19161a5fcb401febdff37f637f537 ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/c96133d714551dcf0d24c2fb63854734ce725c6b ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/37db83ed348a36b8e50fe80bf00a7938c3ee6800 ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/7e76481e04834d281242c40d99c6ce422a2f41ed ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/0ed924be616e0904d72cd2c4bbf99e59569cb7dc ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/661aacba6c189bc0bc2ea54bf972a4e5ea47730a ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/41c59105f49232e10c978e763b78fa1554046202 ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/ec904f7891b2b04f90596e53c4e5f45a8171e0df ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/96d5198cdc3cf0b6fbb68e9f23b65e135c26973e ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/ac67c1884eb93706baf64b91ca4c07511e4553d3 ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/fe9d36504806463e11054569374b5d5858accf1c ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
Hello, Bug #1140149 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/9bdd9ff4f0ab0566d84aee8d682a921094c4cc59 ------------------------------------------------------------------------ * CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints. Applied upstream patch: "Strip internal _nova-prefixed scheduler hints on create" (Closes: #1140149). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140149
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 10 Jun 2026 09:59:57 +0200
Source: nova
Architecture: source
Version: 2:33.0.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1140149
Changes:
nova (2:33.0.1-4) unstable; urgency=medium
.
* CVE-2026-46448 / OSSN-2026-022: Nova scheduler hint injection bypasses
Placement resource claims and scheduling constraints. Applied upstream
patch: "Strip internal _nova-prefixed scheduler hints on create"
(Closes: #1140149).
Checksums-Sha1:
c35c0254ea3cb009c44ab1bddfe321cdda36b4a9 4706 nova_33.0.1-4.dsc
2efa653d46dec20d9281d10ccac67293e9ecd314 71404 nova_33.0.1-4.debian.tar.xz
7f9b28da234f0b4d19df07309cb73cc8f4bb89e5 25786 nova_33.0.1-4_amd64.buildinfo
Checksums-Sha256:
80deb41fa6e53e42ee113f5a417c7056272a6bef157e2eaaff5714aa145262b6 4706 nova_33.0.1-4.dsc
60fd64df9d413843614ab55a57d972d37918dd06354c558fd473950b17febf53 71404 nova_33.0.1-4.debian.tar.xz
2639480c3dda4ac488e9107de054133dddc90b0f8e549b4ffd82d5447d2e0969 25786 nova_33.0.1-4_amd64.buildinfo
Files:
2290f36b50b8f3dc7966fd4a98e4d7a0 4706 net optional nova_33.0.1-4.dsc
2b1eca62b28eadc749c553adb0e16f86 71404 net optional nova_33.0.1-4.debian.tar.xz
6d1c5a8b3c25364ec933a4a5d208c8d9 25786 net optional nova_33.0.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo47DMACgkQ1BatFaxr
Q/66jA/+OlPz+f6g+lj3+42mNlcZoGbspYyZL4J0rMk7Jor3Blq4yLBx+URaAS1j
HCarxkZdrmRl3hF8Me839UVv+RDtobS7lf6dRFubDLMnBNrheHjhlDEdDaP2ZkMC
crm8plBmwDRrqdwHGgyojdSEPCvNq8GXrroW81vj5TUDl70Up/YG9cWgT5J3f1UP
r3lExG2CHuRbdMoAAclz0t/pXddMFdX/ptpy3pwvrfcsddJD8ugbvS/ZtcXeFIU7
cfIEKxWmU91PK1dCCmhLMQ+0XFOMsb5Wu2SnvzIDyGIh8gFqrPahnM2yPniD7Mmn
ezVXOLadph2unA+5ACqAlzj75iyz9P994BmdD5LPtbFbFsR6N4RB5Pa/0ym6yS8Z
R6EBXPeFMTEriUBpGmdoVmqDDhQdgrSrpodZj+ZRTMCwCwQYhQ6ynAi/NMFY3OKy
aDMWzaMFSzxVnFCVF2eylAOanKN7e2nPmky8k+1sqX+mYV6l+/Op6BG67znXn1SG
Ijv2j5zZyWk74oepjGj7sRHFAJquRGW8T2nMtBNn9trD9HPkyBbf8yByyw7awKAl
fMGVjaMVcUnz6oynz5qU69Re9qJzi1i54ksve4pEpkIff89rOb5mQrHafXNeWZcw
CXOGARM7ES3yQGtH1ZHM+x3TEVGj7ap7Lx7UCBE9ChlSsSl/Z9M=
=tVuN
-----END PGP SIGNATURE-----