PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49017 OpenStack CVE debrief

A denial-of-service vulnerability exists in OpenStack Swift's s3api middleware. The StreamingInput class enters an infinite loop when processing truncated aws-chunked PUT request bodies, causing proxy-server workers to become permanently unresponsive with escalating CPU and memory consumption. An authenticated attacker can exhaust all available proxy-server workers, resulting in complete service unavailability. The defect was introduced in Swift 2.36.0 and affects versions prior to 2.36.2 and 2.37.2.

Vendor
OpenStack
Product
Swift
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations operating OpenStack Swift object storage deployments with the s3api middleware enabled, particularly those exposing S3-compatible APIs to authenticated users. Cloud service providers and enterprises relying on Swift for production storage infrastructure should prioritize patching due to the high availability impact and relatively low attack complexity.

Technical summary

The vulnerability resides in the s3api middleware's StreamingInput class, which handles aws-chunked encoded request bodies. When a truncated request body is received, the class repeatedly appends an empty buffer and re-reads, creating an infinite loop. This causes the proxy-server worker process to consume increasing CPU and memory resources without releasing them. Since the worker becomes permanently unresponsive, an attacker can systematically send crafted requests to exhaust all available workers, resulting in a complete denial of service for the Swift object storage service. The issue was introduced in version 2.36.0 and affects the 2.36.x and 2.37.x release branches prior to their respective patch releases.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade OpenStack Swift to version 2.36.2 or 2.37.2 or later to remediate the infinite loop condition in the s3api middleware StreamingInput class.
  • If immediate patching is not feasible, consider implementing request body size limits and connection timeouts at the load balancer or reverse proxy layer to mitigate the risk of worker exhaustion.
  • Monitor proxy-server worker CPU and memory utilization for anomalous consumption patterns that may indicate exploitation attempts.
  • Review access controls to limit authenticated access to the S3 API endpoint to trusted users only, reducing the attack surface for this authenticated vulnerability.

Evidence notes

The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition). The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high availability impact. Two code review patches on OpenDev Gerrit address the issue.

Official resources

2026-05-27