CVE-2026-49017

Sažetak

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Reference

https://bugs.launchpad.net/bugs/2152205
https://review.opendev.org/c/openstack/swift/+/987957
https://review.opendev.org/c/openstack/swift/+/988093
http://www.openwall.com/lists/oss-security/2026/05/27/9
http://www.openwall.com/lists/oss-security/2026/06/02/6

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

02-06-2026 - 20:16

Objavljeno

27-05-2026 - 02:16