PT-2026-43476 · Openstack · Openstack Swift
Alistair Coles
·
Published
2026-05-27
·
Updated
2026-05-28
·
CVE-2026-49017
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L |
Name of the Vulnerable Software and Affected Versions
OpenStack Swift versions 2.36.0 through 2.36.1
OpenStack Swift versions 2.37.0 through 2.37.1
Description
The s3api middleware contains a flaw where the
StreamingInput class enters an infinite loop when processing a truncated aws-chunked PUT request body. This occurs because the system repeatedly appends an empty buffer and re-reads the input, causing the proxy-server worker to become permanently unresponsive while consuming increasing amounts of CPU and memory. An authenticated attacker can exploit this to exhaust all proxy-server workers, leading to a denial of service.Recommendations
Update versions 2.36.0 through 2.36.1 to 2.36.2.
Update versions 2.37.0 through 2.37.1 to 2.37.2.
Fix
DoS
Infinite Loop
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Swift