CVE-2026-49017

CVE Database · CVE-2026-49017

CVE-2026-49017

· N/AAwaiting Analysis

CVSS v3.1

N/A

CVSS v4.0

7.1

EPSS

0.27%

Published

May 26, 2026

Modified

May 29, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Weaknesses (CWE)

CWE-835

References (4)

https://bugs.launchpad.net/bugs/2152205

https://review.opendev.org/c/openstack/swift/+/987957

https://review.opendev.org/c/openstack/swift/+/988093

http://www.openwall.com/lists/oss-security/2026/05/27/9

KEV Catalog EPSS Scores Vendors All CVEs