CVE-2026-49017
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
| CWE | CWE-835 |
| Vendor | openstack |
| Product | swift |
| Published | May 27, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for openstack swift
Be the first to know when new unknown vulnerabilities affecting openstack swift are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
OpenStack / Swift
2.36.0 < 2.36.2 2.37.0 < 2.37.2 2.35.1 < 2.35.3
References
bugs.launchpad.net: https://bugs.launchpad.net/bugs/2152205 review.opendev.org: https://review.opendev.org/c/openstack/swift/+/987957 review.opendev.org: https://review.opendev.org/c/openstack/swift/+/988093 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/27/9 openwall.com: http://www.openwall.com/lists/oss-security/2026/06/02/6