======================================================================================OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked upload
======================================================================================
:Date: May 27, 2026 :CVE: CVE-2026-49017 Affects ~~~~~~~ - Swift: >=2.35.1 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2 Description ~~~~~~~~~~~Alistair Coles from NVIDIA reported a denial of service vulnerability in Swift's s3api middleware. An authenticated user can send a truncated aws-chunked PUT request that causes a proxy-server worker to enter an infinite loop, consuming CPU and memory until the process becomes permanently unresponsive. Deployments running Swift 2.35.1 or later with the s3api middleware enabled are affected.
Errata ~~~~~~The original advisory listed versions 2.36.0 and later as affected. Swift 2.35.1 and 2.35.2 (2025.1/epoxy) are also affected because aws-chunked support was backported to the 2025.1 branch.
Patches ~~~~~~~ - https://review.opendev.org/990355 (2025.1/epoxy) - https://review.opendev.org/990262 (2025.2/flamingo) - https://review.opendev.org/990261 (2026.1/gazpacho) - https://review.opendev.org/987957 (2026.2/hibiscus) Credits ~~~~~~~ - Alistair Coles from NVIDIA (CVE-2026-49017) References ~~~~~~~~~~ - https://launchpad.net/bugs/2152205 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49017 OSSA History ~~~~~~~~~~~~ - 2026-05-29 - Errata 1 - 2026-05-27 - Original Version -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
