CVE-2026-25804 – This vulnerability in Antrea's network policy p... (How to Fix)

Q: What is the severity of CVE-2026-25804?

CVE-2026-25804 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Antrea's network policy priority assignment system causes incorrect traffic enforcement due to a uint16 arithmetic overflow when handling large numbers of policies. Kubernetes clusters using vulnerable Antrea versions may experience unintended network traffic flows. The issue affects Antrea versions prior to 2.3.2 and 2.4.3.

📋 TL;DR

This vulnerability in Antrea's network policy priority assignment system causes incorrect traffic enforcement due to a uint16 arithmetic overflow when handling large numbers of policies. Kubernetes clusters using vulnerable Antrea versions may experience unintended network traffic flows. The issue affects Antrea versions prior to 2.3.2 and 2.4.3.

💻 Affected Systems

Products:

Antrea

Versions: All versions prior to 2.3.2 and 2.4.3

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects clusters with large numbers of network policies where priority calculations trigger the overflow condition.

📦 What is this software?

Antrea by Linuxfoundation

View all CVEs affecting Antrea →

Antrea by Linuxfoundation

View all CVEs affecting Antrea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network policies fail to enforce correctly, allowing unauthorized traffic between pods or external access to sensitive services, potentially leading to data exfiltration or lateral movement.

🟠

Likely Case

Inconsistent network policy enforcement causing intermittent connectivity issues or unintended traffic patterns within the Kubernetes cluster.

🟢

If Mitigated

With proper network segmentation and defense-in-depth controls, impact is limited to potential policy bypass within the affected Antrea-controlled network segment.

🌐 Internet-Facing: MEDIUM - While the vulnerability affects internal traffic enforcement, misconfigured policies could allow unintended external access if combined with other issues.

🏢 Internal Only: HIGH - Directly impacts internal network policy enforcement which is critical for Kubernetes security posture.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires creating enough network policies with specific priority values to trigger the overflow condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2 or 2.4.3

Vendor Advisory: https://github.com/antrea-io/antrea/security/advisories/GHSA-86x4-wp9f-wrr9

Restart Required: Yes

Instructions:

1. Backup current Antrea configuration. 2. Update Antrea to version 2.3.2 or 2.4.3 using your Kubernetes package manager. 3. Restart Antrea controller and agent pods. 4. Verify network policies are functioning correctly.

🔧 Temporary Workarounds

Limit Network Policy Count

linux

Reduce the number of network policies to avoid triggering the overflow condition

kubectl get networkpolicies --all-namespaces | wc -l
# Monitor policy count and keep below overflow threshold

🧯 If You Can't Patch

Implement additional network segmentation using host-level firewalls or service mesh solutions
Deploy network policy validation tools to detect incorrect enforcement

🔍 How to Verify

Check if Vulnerable:

Check Antrea version: kubectl get pods -n kube-system -l app=antrea -o jsonpath='{.items[*].spec.containers[*].image}'

Check Version:

kubectl get pods -n kube-system -l app=antrea -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'antrea:[0-9.]*'

Verify Fix Applied:

Verify version is 2.3.2 or 2.4.3 and test network policy enforcement with traffic tests between pods

📡 Detection & Monitoring

Log Indicators:

Antrea controller logs showing priority calculation errors
Unexpected OpenFlow rule priority values in Antrea logs

Network Indicators:

Traffic flowing between pods that should be blocked by network policies
Inconsistent policy enforcement across similar workloads

SIEM Query:

source="antrea" AND ("priority overflow" OR "OpenFlow priority" AND error)

📊 Metadata

CVE ID: CVE-2026-25804

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-287

EPSS Score: 0.05% exploit probability (15.7th percentile)

Published: February 6, 2026

Last Updated: February 28, 2026

🔗 References

https://github.com/antrea-io/antrea/commit/86c4b6010f3be536866f339b632621c23d7186fa Patch
https://github.com/antrea-io/antrea/pull/7496 Issue Tracking,Patch
https://github.com/antrea-io/antrea/security/advisories/GHSA-86x4-wp9f-wrr9 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25804, you might also want to check these: