CVE-2026-49017

NameCVE-2026-49017
DescriptionIn OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6314-1
Debian Bugs1138170

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
swift (PTS)bullseye2.26.0-10+deb11u1fixed
bullseye (security)2.26.0-10+deb11u2fixed
bookworm, bookworm (security)2.30.1-0+deb12u1fixed
trixie2.35.1-0+deb13u1vulnerable
trixie (security)2.35.1-0+deb13u2fixed
forky, sid2.37.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
swiftsourcebullseye(not affected)
swiftsourcebookworm(not affected)
swiftsourcetrixie2.35.1-0+deb13u2DSA-6314-1
swiftsource(unstable)2.37.1-41138170

Notes

[bookworm] - swift <not-affected> (Support for aws-chunked introduced in 2.35.1)
[bullseye] - swift <not-affected> (Support for aws-chunked introduced in 2.35.1)
https://www.openwall.com/lists/oss-security/2026/05/27/9
https://bugs.launchpad.net/swift/+bug/2152205
Search for package or bug name: Reporting problems