Description
An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Published: 2026-06-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the Externalizable.readExternal() component of OpenDaylight Controller version 12.0.5. A specially crafted input can be processed by the controller, causing a denial of service by exhausting resources or causing the component to crash. The flaw is an input validation defect, mapped to CWE‑400. No remote code execution or confidentiality compromise is possible; the primary impact is loss of availability.

Affected Systems

OpenDaylight Controller v12.0.5 is identified as the affected product. No other vendors, products, or version ranges are specified.

Risk and Exploitability

The CVSS score and EPSS are not available, and the vulnerability is not listed in CISA KEV, indicating limited public exploitation. The attack requires remote interaction with the controller’s Externalizable interface, likely over network protocols used by OpenDaylight. While the theoretical risk remains, lack of a confirmed exploit shortens the exploitation window. Network segmentation or traffic filtering can reduce the likelihood of successful attack.

Generated by OpenCVE AI on June 5, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenDaylight Controller to a version that includes a fix for the Externalizable.readExternal() flaw as soon as a patch is released.
  • Restrict inbound traffic to the controller using firewall rules or network segmentation to limit opportunities for malicious input.
  • Monitor the controller logs and network flow for abnormal traffic patterns that may indicate attempts to trigger the denial of service.

Generated by OpenCVE AI on June 5, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted Input in Externalizable.readExternal() of Controller v12.0.5
Weaknesses CWE-400

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T16:52:15.890Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36501

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T18:17:16.927

Modified: 2026-06-05T19:02:13.790

Link: CVE-2026-36501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:45:06Z

Weaknesses