James Denton

**Name of the Vulnerable Software and Affected Versions** OpenStack os-vif versions 1.15.x through 1.15.1 OpenStack os-vif version 1.16.0 **Description** The issue affects deployments using the linuxbridge backend, where a hard-coded MAC aging time of 0 disables MAC learning. This forces obligatory Ethernet flooding of non-local destinations, impeding network performance and potentially allowing users to view the content of packets for instances belonging to other tenants on the same network. The problem occurs in the `PyRoute2.add()` function, located in the `internal/command/ip/linux/impl pyroute2.py` file. **Recommendations** For OpenStack os-vif versions 1.15.x through 1.15.1, update to version 1.15.2 or later to resolve the issue. For OpenStack os-vif version 1.16.0, consider disabling the linuxbridge backend until a patch is available, or restrict access to the affected network to minimize the risk of exploitation.