VYPR
High severityNVD Advisory· Published May 27, 2026· Updated Jun 2, 2026

CVE-2026-49017

CVE-2026-49017

Description

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • OpenStack/Swiftinferred2 versions
    <2.36.2,<2.37.2+ 1 more
    • (no CPE)range: <2.36.2,<2.37.2
    • (no CPE)range: <2.36.2, <2.37.2

Patches

Vulnerability mechanics

References

5

News mentions

1