CRE-2025-0027

Neutron Open Virtual Network (OVN) and Virtual Interface (VIF) allows port binding to dead agents, causing VIF plug timeoutsLow

Impact: 7/10

Mitigation: 2/10

CRE-2025-0027View on GitHub

NeutronOvnTimeoutNetworkingOpenstackKnown IssuePublic

Description

In OpenStack deployments using Neutron with the OVN ML2 driver, ports could be bound to agents that were not alive. This behavior led to virtual machines experiencing network interface plug timeouts during provisioning, as the port binding would not complete successfully.

Mitigation

- Upgrade Neutron to a version that includes the fix for this issue: - Master branch: commit `8a55f091925fd5e6742fb92783c524450843f5a0`\n - Stable Yoga branch: commit `267631e8fb35af4d9d96c70c6e6ddba25256f195` - Ensure that Neutron agents are monitored and maintained in a healthy state to prevent binding to inactive agents.

References

• https://bugs.launchpad.net/neutron/+bug/1958501
• https://review.opendev.org/c/openstack/neutron/+/825428
• https://opendev.org/openstack/neutron/commit/8a55f091925fd5e6742fb92783c524450843f5a0
• https://opendev.org/openstack/neutron/commit/267631e8fb35af4d9d96c70c6e6ddba25256f195