CVE-2020-35498 Overview
A denial of service vulnerability was discovered in Open vSwitch (OVS), a widely-used multilayer virtual switch designed to enable massive network automation through programmatic extension. The vulnerability exists in the userspace packet parsing implementation, where a limitation allows a malicious user to craft specially designed packets that cause the resulting megaflow in the kernel to be overly broad.
When exploited, this flaw can disrupt network traffic flow processing, potentially causing service disruption across virtualized network infrastructure. Open vSwitch is commonly deployed in data centers, cloud environments, and software-defined networking (SDN) implementations, making this vulnerability particularly impactful for enterprise and cloud service providers.
Critical Impact
Attackers can remotely trigger denial of service conditions in Open vSwitch deployments by sending specially crafted packets, causing overly wide megaflows that disrupt network operations and system availability.
Affected Products
- Open vSwitch (multiple versions)
- Debian Linux 9.0 and 10.0
- Fedora 33
Discovery Timeline
- 2021-02-11 - CVE-2020-35498 published to NVD
- 2025-04-23 - Last updated in NVD database
Technical Details for CVE-2020-35498
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a resource exhaustion flaw in Open vSwitch's packet parsing mechanism. The issue lies in how the userspace component processes and classifies incoming network packets before creating megaflow entries in the kernel datapath.
In Open vSwitch architecture, megaflows are optimized flow rules that aggregate multiple similar packet flows to improve forwarding performance. When the userspace parser encounters a maliciously crafted packet, the parsing logic fails to properly constrain the resulting flow match criteria. This causes the generated megaflow to become excessively broad, matching far more traffic than intended.
The network-accessible nature of this vulnerability means that any attacker who can send packets to an affected Open vSwitch instance can trigger the condition without requiring any authentication or user interaction. This makes it particularly dangerous in multi-tenant cloud environments where untrusted workloads share the same virtual switching infrastructure.
Root Cause
The root cause is a limitation in the userspace packet parsing implementation that fails to properly validate and constrain packet header fields during flow classification. When processing certain malformed packets, the parser does not enforce appropriate bounds on the resulting megaflow match criteria, allowing the creation of overly permissive kernel flow rules.
This design flaw in the packet classification logic permits attackers to influence how traffic is categorized and forwarded, ultimately leading to improper resource consumption and potential denial of service conditions.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker sends specially crafted packets to a network segment handled by the vulnerable Open vSwitch instance. Upon receiving and parsing these packets, the affected OVS deployment creates an overly wide megaflow entry in the kernel datapath.
This malformed megaflow can then match legitimate traffic that should be handled differently, causing:
- Incorrect packet forwarding decisions
- Traffic disruption for unrelated flows
- Resource exhaustion in the kernel datapath
- Overall degradation or loss of network connectivity
The attack requires no privileges or user interaction, making it straightforward to execute against exposed Open vSwitch deployments.
Detection Methods for CVE-2020-35498
Indicators of Compromise
- Unexpected or abnormally broad megaflow entries in OVS datapath tables
- Unusual packet classification behavior affecting unrelated traffic flows
- Sudden increases in kernel flow table resource consumption
- Network connectivity disruptions correlated with specific packet patterns
Detection Strategies
- Monitor Open vSwitch logs for unusual packet parsing errors or warnings
- Implement flow table monitoring to detect megaflows with abnormally broad match criteria using ovs-dpctl dump-flows
- Deploy network intrusion detection systems (IDS) to identify malformed packet patterns targeting OVS
- Utilize SentinelOne Singularity platform for real-time endpoint and network behavior analysis
Monitoring Recommendations
- Configure alerting on Open vSwitch daemon (ovs-vswitchd) crash or restart events
- Monitor system resource utilization for unexpected spikes in kernel memory or CPU usage
- Track megaflow statistics using ovs-appctl dpctl/dump-flows for anomalous patterns
- Enable verbose logging for packet classification debugging during incident investigation
How to Mitigate CVE-2020-35498
Immediate Actions Required
- Update Open vSwitch to the latest patched version available for your distribution
- Review and apply security advisories from your operating system vendor (Debian, Fedora, Red Hat)
- Implement network segmentation to limit exposure of OVS management and data planes
- Consider temporarily disabling affected OVS instances if updates cannot be immediately applied
Patch Information
Multiple vendors have released security updates addressing this vulnerability. Consult the following resources for distribution-specific patch information:
- Red Hat Bug Report - Red Hat Bugzilla tracking entry
- Debian Security Advisory DSA-4852 - Debian stable security update
- Debian LTS Announcement - Debian LTS support update
- Fedora Package Announcement - Fedora update notification
- Gentoo GLSA 202311-16 - Gentoo Linux Security Advisory
Workarounds
- Implement strict network access controls to limit which hosts can send traffic to OVS-managed networks
- Deploy firewall rules to filter potentially malicious packet patterns at network boundaries
- Consider using rate limiting on network interfaces to reduce the impact of flood-based attacks
- Monitor and alert on OVS performance metrics to quickly detect and respond to exploitation attempts
# Check current Open vSwitch version
ovs-vswitchd --version
# Monitor megaflow statistics for anomalies
ovs-appctl dpctl/dump-flows
# Update Open vSwitch on Debian/Ubuntu
sudo apt update && sudo apt upgrade openvswitch-switch
# Update Open vSwitch on Fedora/RHEL
sudo dnf update openvswitch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
