PatchSiren cyber security CVE debrief
CVE-2026-36499 Open vSwitch CVE debrief
CVE-2026-36499 is a medium-severity vulnerability in Open vSwitch. A missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service (DoS) via resource exhaustion. The vulnerability has a CVSS score of 6.5 and is classified as CWE-770.
- Vendor
- Open vSwitch
- Product
- Open vSwitch
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-06
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-06
Who should care
Users of Open vSwitch v3.6.90 who have OVSDB write access.
Technical summary
The vulnerability is caused by a missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90. This allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads, leading to a denial of service (DoS) via resource exhaustion.
Defensive priority
medium
Recommended defensive actions
- Apply the patch or update to a fixed version of Open vSwitch.
- Restrict OVSDB write access to only those who need it.
Evidence notes
The vulnerability was reported on GitHub.
Official resources
-
CVE-2026-36499 CVE record
CVE.org
-
CVE-2026-36499 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-36499 was published on 2026-06-04T19:16:28.563Z and modified on 2026-06-06T20:16:36.233Z.