CVE-2026-36499
Description
Open vSwitch versions prior to v3.6.90 are vulnerable to DoS via resource exhaustion by requesting an excessive number of threads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open vSwitch versions prior to v3.6.90 are vulnerable to DoS via resource exhaustion by requesting an excessive number of threads.
Vulnerability
A missing upper-bound check in the udpif_set_threads() function of Open vSwitch versions prior to v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This vulnerability was tested on Open vSwitch v3.6.90 [1].
Exploitation
An attacker with OVSDB write access can exploit this vulnerability by writing an arbitrarily large integer to the other_config:n-revalidator-threads map using ovs-vsctl. For example, setting other_config:n-revalidator-threads=1000 before creating a new bridge can trigger the vulnerability [1].
Impact
Successful exploitation of this vulnerability can lead to a denial of service (DoS) due to resource exhaustion. The OVS daemon may crash, resulting in the unavailability of the OVS switch [1].
Mitigation
This vulnerability affects Open vSwitch versions prior to v3.6.90. A fix for this issue is available in Open vSwitch v3.6.90 [1]. No workarounds are disclosed in the available references.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <3.6.90
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A missing upper-bound check in udpif_set_threads() allows an excessive number of threads to be requested."
Attack vector
An attacker with OVSDB write access can exploit this vulnerability by setting the `n-revalidator-threads` configuration key to an arbitrarily large integer. This is demonstrated by the command `ovs-vsctl set Open_vSwitch . other_config:n-revalidator-threads=1000` [ref_id=1]. Subsequently, creating a new bridge triggers the crash. The vulnerability affects Open vSwitch v3.6.90 [ref_id=1].
Affected code
The vulnerability lies within the `udpif_set_threads()` function in Open vSwitch. The reference write-up indicates that setting `other_config:n-revalidator-threads` to a large value triggers the issue, leading to the OVS daemon crashing with a 'Too many open files' error [ref_id=1].
What the fix does
The patch introduces an upper bound check for the number of revalidator threads that can be configured. This prevents an attacker from requesting an excessive number of threads, thereby mitigating the resource exhaustion that leads to a denial of service. The advisory does not specify the exact patch details, but the fix addresses the root cause by limiting the thread count.
Preconditions
- authAttacker must have OVSDB write access.
- configThe affected version is Open vSwitch v3.6.90.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- open.comnvd
News mentions
0No linked articles in our index yet.