CVE-2026-34992

HIGH EPSS 2.3%
Published Apr 6, 20262mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 4.0
High
Find Similar
Published Apr 6, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer. Impacted Users: users with dual-stack clusters and IPsec encryption enabled. Single-stack IPv4 or IPv6 clusters are not affected. This vulnerability is fixed in 2.4.5 and 2.5.2.

CVSS Details

Base Score
7.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
2.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-311

Affected Products 2

VendorProductVersionRange
linuxfoundationantrea* <2.4.5
linuxfoundationantrea*≥2.5.0  –  <2.5.2

References 5

  • github.com https://github.com/antrea-io/antrea/blob/main/docs/traffic-encryption.md
    PatchProduct
  • github.com https://github.com/antrea-io/antrea/commit/738bad662b20a5d358d19466936176ef580a9b07
    Patch
  • github.com https://github.com/antrea-io/antrea/pull/7757
    Issue TrackingPatch
  • github.com https://github.com/antrea-io/antrea/pull/7759
    Issue TrackingPatch
  • github.com https://github.com/antrea-io/antrea/security/advisories/GHSA-qcmw-8mm4-4p28
    PatchVendor Advisory

Remediation

  • github.com https://github.com/antrea-io/antrea/blob/main/docs/traffic-encryption.md
    PatchProduct
  • github.com https://github.com/antrea-io/antrea/commit/738bad662b20a5d358d19466936176ef580a9b07
    Patch
  • github.com https://github.com/antrea-io/antrea/pull/7757
    Issue TrackingPatch
  • github.com https://github.com/antrea-io/antrea/pull/7759
    Issue TrackingPatch
  • github.com https://github.com/antrea-io/antrea/security/advisories/GHSA-qcmw-8mm4-4p28
    PatchVendor Advisory