VYPR
← All advisories
High severityNVD Advisory· Published May 27, 2026

CVE-2026-49017

CVE-2026-49017

Description

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenStack Swift s3api middleware enters an infinite loop on truncated aws-chunked PUT requests, allowing authenticated attackers to cause denial of service by exhausting proxy-server workers.

Vulnerability

In OpenStack Swift, the s3api middleware's StreamingInput class enters an infinite loop when processing a truncated aws-chunked PUT request body. The defect was introduced in Swift 2.36.0 and affects versions before 2.36.2 and 2.37.2 [1]. The loop occurs because the class repeatedly appends an empty buffer (b'') and re-reads, never terminating.

Exploitation

An attacker must have valid credentials to send authenticated PUT requests to the Swift proxy-server. By sending a truncated aws-chunked PUT request that ends in the middle of a chunk, the attacker triggers the infinite loop in the StreamingInput class [1]. The attacker can systematically send multiple such requests to exhaust all proxy-server workers, causing a denial of service.

Impact

A successful attack causes the proxy-server worker handling the request to become permanently unresponsive, with increasing CPU and memory consumption. This blocks other request handling in the same process and, when repeated across workers, leads to complete denial of service for the Swift cluster [1].

Mitigation

Upgrade to Swift version 2.36.2 or 2.37.2, which contain the fix for this issue [1]. No workaround is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Bug #2152205 “proxy-server cpu and memory usage grows due to inc...” : Bugs : OpenStack Object Storage (swift)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenStack/Swiftinferred2 versions
    <2.36.2,<2.37.2+ 1 more
    • (no CPE)range: <2.36.2,<2.37.2
    • (no CPE)range: >= 2.36.0 < 2.36.2, >= 2.37.0 < 2.37.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.