CRE-2025-0027

Neutron Open Virtual Network (OVN) and Virtual Interface (VIF) allows port binding to dead agents, causing VIF plug timeoutsLow

Impact: 7/10

Mitigation: 2/10

CRE-2025-0027View on GitHub

NeutronOvnTimeoutNetworkingOpenstackKnown IssuePublic

Description

In OpenStack deployments using Neutron with the OVN ML2 driver, ports could be bound to agents that were not alive. This behavior led to virtual machines experiencing network interface plug timeouts during provisioning, as the port binding would not complete successfully.

Cause

The OVN mechanism driver did not verify the liveness of agents before binding ports. Consequently, ports could be bound to non-responsive agents, resulting in failures during the virtual interface (VIF) plug process.

Mitigation

• Upgrade Neutron to a version that includes the fix for this issue:
• Master branch: commit `8a55f091925fd5e6742fb92783c524450843f5a0`\

• Stable Yoga branch: commit `267631e8fb35af4d9d96c70c6e6ddba25256f195`
• Ensure that Neutron agents are monitored and maintained in a healthy state to prevent binding to inactive agents.

References

• https://bugs.launchpad.net/neutron/+bug/1958501
• https://review.opendev.org/c/openstack/neutron/+/825428
• https://opendev.org/openstack/neutron/commit/8a55f091925fd5e6742fb92783c524450843f5a0
• https://opendev.org/openstack/neutron/commit/267631e8fb35af4d9d96c70c6e6ddba25256f195