OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked upload

OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked upload¶

Date:: May 27, 2026
CVE:: CVE-2026-49017

Affects¶

Swift: >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Description¶

Alistair Coles from NVIDIA reported a denial of service vulnerability in Swift’s s3api middleware. An authenticated user can send a truncated aws-chunked PUT request that causes a proxy-server worker to enter an infinite loop, consuming CPU and memory until the process becomes permanently unresponsive. Deployments running Swift 2.36.0 or later with the s3api middleware enabled are affected.

Patches¶

https://review.opendev.org/990262 (2025.2/flamingo)
https://review.opendev.org/990261 (2026.1/gazpacho)
https://review.opendev.org/987957 (2026.2/hibiscus)

Credits¶

Alistair Coles from NVIDIA (CVE-2026-49017)

References¶

this page last updated: 2026-05-28 16:28:05

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.