Description
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A loop in the s3api middleware of OpenStack Swift causes the proxy‑server worker handling a truncated AWS‑chunked PUT request to become permanently blocked while consuming CPU and memory. The result is a denial of service that an attacker can trigger after authenticating, exhausting all workers and degrading service availability.

Affected Systems

The vulnerability affects OpenStack Swift versions prior to 2.36.2 and 2.37.2. These releases are used in deployments that expose an S3-compatible API for object storage.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity impact. The EPSS score is not available, but the lack of a mitigated environment suggests that exploitation is plausible, especially against systems that accept authenticated AWS‑chunked uploads. The risk is mitigated only by upgrading to a patch release; no current KEV catalog listing means there is no known public exploitation at the time of analysis.

Generated by OpenCVE AI on May 27, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Swift to version 2.36.2 or later, or 2.37.2 or later, to eliminate the looping behavior
  • Configure the S3API middleware to reject truncated or malformed PUT requests before reaching the proxy worker
  • Monitor CPU and memory usage of Swift proxy workers and set alerts for abnormal consumption patterns

Generated by OpenCVE AI on May 27, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
First Time appeared Openstack
Openstack swift
Weaknesses CWE-835
CPEs cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack swift
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Openstack Swift
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T13:52:55.767Z

Reserved: 2026-05-27T01:57:58.189Z

Link: CVE-2026-49017

cve-icon Vulnrichment

Updated: 2026-05-27T13:52:52.280Z

cve-icon NVD

Status : Received

Published: 2026-05-27T02:16:34.327

Modified: 2026-05-27T02:16:34.327

Link: CVE-2026-49017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T03:30:06Z

Weaknesses