CVE-2026-49017

CVE-2026-49017 PUBLISHED

Assigner: mitre
Reserved: 27.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	Low
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	OpenStack
Product	Swift
Versions	Default: unaffected affected from 2.36.0 to 2.36.2 (excl.) affected from 2.37.0 to 2.37.2 (excl.)

Vendor

OpenStack

Product

Swift

Versions

Default: unaffected

affected from 2.36.0 to 2.36.2 (excl.)
affected from 2.37.0 to 2.37.2 (excl.)

References

Problem Types

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') CWE