[oss-security] [OSSA-2026-014] OpenStack Swift: Swift proxy-server denial of service via truncated s3api chunked upload (CVE-2026-49017)

Goutham Pacha Ravi Wed, 27 May 2026 09:31:43 -0700

======================================================================================

OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked upload

======================================================================================


:Date: May 27, 2026
:CVE: CVE-2026-49017


Affects
~~~~~~~
- Swift: >=2.36.0 <2.36.2, >=2.37.0 <2.37.2


Description
~~~~~~~~~~~

Alistair Coles from NVIDIA reported a denial of service vulnerability in Swift's s3api middleware. An authenticated user can send a truncated aws-chunked PUT request that causes a proxy-server worker to enter an infinite loop, consuming CPU and memory until the process becomes permanently unresponsive. Deployments running Swift 2.36.0 or later with the s3api middleware enabled are affected.




Patches
~~~~~~~
- https://review.opendev.org/990262 (2025.2/flamingo)
- https://review.opendev.org/990261 (2026.1/gazpacho)
- https://review.opendev.org/987957 (2026.2/hibiscus)


Credits
~~~~~~~
- Alistair Coles from NVIDIA (CVE-2026-49017)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2152205
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49017



--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature

[oss-security] [OSSA-2026-014] OpenStack Swift: Swift proxy-server denial of service via truncated s3api chunked upload (CVE-2026-49017)

Reply via email to