CVE-2026-36501

Vulnerability

An issue exists in the Externalizable.readExternal() component within OpenDayLight Controller versions prior to 12.0.5, specifically affecting its Raft implementation. Three Externalizable classes (AE, SS, ServerConfigurationPayload) call in.readInt() and pass the result directly to ImmutableList.builderWithExpectedSize(size) without performing any bounds checks. This vulnerability is present in version 12.0.5 [2].

Exploitation

A remote attacker must first join the OpenDayLight Pekko cluster. Once a member, the attacker can send a crafted AppendEntries (AE) message. By setting the entryCount field to Integer.MAX_VALUE, the attacker triggers an attempt to allocate approximately 16 GB of memory, leading to an OutOfMemoryError and subsequent JVM shutdown [2]. Access to port 2550 is required for the attacker to join the cluster [2].

Impact

Successful exploitation of this vulnerability results in a Denial of Service (DoS) by causing an OutOfMemoryError and shutting down the Java Virtual Machine (JVM). This directly impacts the availability of the OpenDayLight controller, rendering it inoperable [2].

Mitigation

It is recommended to add a bounds check before calling builderWithExpectedSize() in all three affected classes. A fixed version is not explicitly mentioned in the provided references, but the issue is known to affect version 12.0.5 [2]. The Controller project does not have user-facing features [1].