Bug 2481759 (CVE-2026-49017) - CVE-2026-49017 openstack-swift: OpenStack Swift: Denial of Service via truncated aws-chunked PUT request
Summary: CVE-2026-49017 openstack-swift: OpenStack Swift: Denial of Service via trunca...
Keywords:
Status: NEW
Alias: CVE-2026-49017
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 03:01 UTC by OSIDB Bzimport
Modified: 2026-06-18 09:40 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 03:01:34 UTC
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.


Note You need to log in before you can comment on or make changes to this bug.