Source: swift
Version: 2.35.1-0+deb13u1
Severity: important
Tags: patch
As per official announce:
https://security.openstack.org/ossa/OSSA-2026-014.html
OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked
upload
Date: May 27, 2026
CVE: CVE-2026-49017
Affects: Swift: >=2.36.0 <2.36.2, >=2.37.0 <2.37.2
Note from package maintainer: Anything before Trixie is unaffected, because
there was no support for aws-chunked transfer before upstream releasse
2.35.1. Trixie has currently: 2.35.1-0+deb13u1.
Description:
Alistair Coles from NVIDIA reported a denial of service vulnerability in
Swift’s s3api middleware. An authenticated user can send a truncated
aws-chunked PUT request that causes a proxy-server worker to enter an infinite
loop, consuming CPU and memory until the process becomes permanently
unresponsive. Deployments running Swift 2.36.0 or later with the s3api
middleware enabled are affected.
Patches:
https://review.opendev.org/990262 (2025.2/flamingo)
https://review.opendev.org/990261 (2026.1/gazpacho)
https://review.opendev.org/987957 (2026.2/hibiscus)
Credits:
Alistair Coles from NVIDIA (CVE-2026-49017)
References:
https://launchpad.net/bugs/2152205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49017
