VYPR
← All advisories
High severityNVD Advisory· Published May 5, 2024· Updated Aug 2, 2024

CVE-2024-34486

CVE-2024-34486

Description

OFPPacketQueue in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via OFPQueueProp.len=0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-34486: Infinite loop in Ryu's OFPPacketQueue parser via crafted OpenFlow message with OFPQueueProp.len=0, enabling DoS.

Vulnerability

CVE-2024-34486 resides in the OFPPacketQueue parser within parser.py of the Faucet SDN Ryu framework (version 4.34). The bug occurs when OFPQueueProp.len is set to 0; the parsing loop while length < len_ never increments its variables, causing an infinite loop [3].

Exploitation

An attacker can trigger this flaw by sending a specially crafted OpenFlow message to a Ryu controller. No authentication is required, and the attacker only needs network access to the controller's OpenFlow port (default 6633). The provided proof-of-concept payload demonstrates the infinite loop by exploiting a zero-length queue property [3].

Impact

Successful exploitation leads to a denial-of-service (DoS) condition: the Ryu controller becomes unresponsive, disrupting SDN network operations.

Mitigation

As noted in the project's repository, Ryu is no longer actively maintained [2]. Users are advised to migrate to the maintained fork os-ken. No patch is available for Ryu; the only mitigation is to avoid using the vulnerable version or to apply network-level filtering to block malicious OpenFlow messages.

References
  1. GitHub - faucetsdn/ryu: Ryu component-based software defined networking framework
  2. Suggestion for OFPPacketQueue parser will cause an infinite loop

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ryuPyPI
<= 4.34

Affected products

2
  • Faucet SDN/Faucet SDN Ryudescription
  • ghsa-coords
    pkg:pypi/ryu
    Range: <= 4.34

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.