CVE-2026-49017

Name: CVE-2026-49017
Creator: NVD / NIST
Published: 2026-05-27T02:16:34.327+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.1/10EPSS 0.32%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Metrics

CVSS 4.0

7.1/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.32%

23.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-835

References

Timeline

Published: May 27, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-49017?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST