CVE-2026-49017

Summary

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Affected Software

VendorProductVersion RangeStatus
OpenStackSwift2.36.0 < 2.36.2affected
OpenStackSwift2.37.0 < 2.37.2affected
OpenStackSwift2.35.1 < 2.35.3affected

Weaknesses

  • CWE-835: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References