Description
A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.
Published: 2026-05-05
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow flaw in Open vSwitch allows a remote attacker to send a specially crafted EPASV command longer than 255 characters over an FTP stream. The malformed command triggers a heap access error that crashes the user‑space datapath, causing a denial of service on the affected system. The weakness is classified as a buffer overflow (CWE‑120).

Affected Systems

Red Hat Enterprise Linux 7, 8 and 9 running the Fast Datapath user‑space datapath, Red Hat OpenShift Container Platform 4, and Red Hat OpenStack Platform releases 13 (Queens), 16.2, 17.1, and 18.0 are listed as vulnerable. No specific patch levels are provided in the advisory, so any installed instance of these products that enables conntrack FTP helpers over the user‑space datapath is potentially affected.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate impact. No EPSS score is available to quantify exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploit is active. Nonetheless, an attacker who can establish an FTP session to the target and has a conntrack flow configured for FTP helpers can inject the oversized EPASV command to trigger a crash. The attack requires remote network access with FTP traffic allowed, and presumably the use of the user‑space datapath. The lack of a KEV listing and the moderate CVSS suggest a reasonable but not urgent threat; however, disruption of network services may be critical for operational environments.

Generated by OpenCVE AI on May 5, 2026 at 17:50 UTC.

Remediation

Vendor Workaround

Optionally, avoid using alg=ftp flows. These are not usually configured.

OpenCVE Recommended Actions

  • Disable any FTP flows that rely on the user‑space datapath or remove conntrack FTP helpers from the Open vSwitch configuration if transport layer security is not required.
  • If FTP connectivity is essential, re‑configure Open vSwitch to use the kernel datapath or a different helper that does not process oversized EPASV commands.
  • Check the Red Hat advisory and apply the vendor‑issued patch or update when it becomes available to eliminate the underlying heap overflow.

Generated by OpenCVE AI on May 5, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.
Title Openvswitch: open vswitch: denial of service via malformed ftp epasv command
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Redhat openstack
Weaknesses CWE-120
CPEs cpe:/a:redhat:openshift:4
cpe:/a:redhat:openstack:13
cpe:/a:redhat:openstack:16.2
cpe:/a:redhat:openstack:17.1
cpe:/a:redhat:openstack:18.0
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:7::fastdatapath
cpe:/o:redhat:enterprise_linux:8::fastdatapath
cpe:/o:redhat:enterprise_linux:9::fastdatapath
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
Redhat openstack
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Openshift Openstack
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-05T16:36:17.493Z

Reserved: 2026-03-31T17:43:41.756Z

Link: CVE-2026-34956

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:11.927

Modified: 2026-05-05T19:31:10.400

Link: CVE-2026-34956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:00:13Z

Weaknesses