PT-2026-43476 · Openstack · Openstack Swift

Alistair Coles

·

Published

2026-05-27

·

Updated

2026-05-28

·

CVE-2026-49017

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
Name of the Vulnerable Software and Affected Versions OpenStack Swift versions 2.36.0 through 2.36.1 OpenStack Swift versions 2.37.0 through 2.37.1
Description The s3api middleware contains a flaw where the StreamingInput class enters an infinite loop when processing a truncated aws-chunked PUT request body. This occurs because the system repeatedly appends an empty buffer and re-reads the input, causing the proxy-server worker to become permanently unresponsive while consuming increasing amounts of CPU and memory. An authenticated attacker can exploit this to exhaust all proxy-server workers, leading to a denial of service.
Recommendations Update versions 2.36.0 through 2.36.1 to 2.36.2. Update versions 2.37.0 through 2.37.1 to 2.37.2.

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49017
GHSA-G7JQ-J257-RWW2

Affected Products

Openstack Swift