CVE-2026-44919: OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices

May 14, 2026 (updated June 8, 2026)

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

References

bugs.launchpad.net/ironic/+bug/2150332
github.com/advisories/GHSA-4g73-w726-53h3
nvd.nist.gov/vuln/detail/CVE-2026-44919
opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0
security.openstack.org/ossa/OSSA-2026-013.html

Code Behaviors & Features

Detect and mitigate CVE-2026-44919 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →