oss-sec mailing list archives
[OSSA-2026-014] OpenStack Swift: Errata 1 - Proxy-server denial of service via truncated s3api chunked upload, (CVE-2026-49017)
From: Goutham Pacha Ravi <gouthampravi () gmail com>
Date: Tue, 2 Jun 2026 08:16:30 -0700
======================================================================================OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked upload
====================================================================================== :Date: May 27, 2026 :CVE: CVE-2026-49017 Affects ~~~~~~~ - Swift: >=2.35.1 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2 Description ~~~~~~~~~~~Alistair Coles from NVIDIA reported a denial of service vulnerability in Swift's s3api middleware. An authenticated user can send a truncated aws-chunked PUT request that causes a proxy-server worker to enter an infinite loop, consuming CPU and memory until the process becomes permanently unresponsive. Deployments running Swift 2.35.1 or later with the s3api middleware enabled are affected.
Errata ~~~~~~The original advisory listed versions 2.36.0 and later as affected. Swift 2.35.1 and 2.35.2 (2025.1/epoxy) are also affected because aws-chunked support was backported to the 2025.1 branch.
Patches ~~~~~~~ - https://review.opendev.org/990355 (2025.1/epoxy) - https://review.opendev.org/990262 (2025.2/flamingo) - https://review.opendev.org/990261 (2026.1/gazpacho) - https://review.opendev.org/987957 (2026.2/hibiscus) Credits ~~~~~~~ - Alistair Coles from NVIDIA (CVE-2026-49017) References ~~~~~~~~~~ - https://launchpad.net/bugs/2152205 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49017 OSSA History ~~~~~~~~~~~~ - 2026-05-29 - Errata 1 - 2026-05-27 - Original Version -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
Attachment:
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA-2026-014] OpenStack Swift: Errata 1 - Proxy-server denial of service via truncated s3api chunked upload, (CVE-2026-49017) Goutham Pacha Ravi (Jun 02)
