CVE-2020-35498 Overview
CVE-2020-35498 is a denial of service vulnerability in Open vSwitch (OVS), a production-quality multilayer virtual switch widely deployed in software-defined networking and cloud environments. The flaw exists in the userspace packet parsing implementation. A remote attacker can send a specially crafted packet that causes the resulting megaflow installed in the kernel datapath to be too wide. An overly wide megaflow degrades flow classification efficiency and can exhaust system resources, impacting availability of the virtual switch and the workloads it serves. The vulnerability is classified under [CWE-400: Uncontrolled Resource Consumption].
Critical Impact
Remote, unauthenticated attackers can degrade or disrupt network availability on hypervisors and cloud hosts running vulnerable Open vSwitch versions by transmitting crafted packets.
Affected Products
- Open vSwitch (multiple versions prior to the security fix)
- Debian GNU/Linux 9 (stretch) and 10 (buster)
- Fedora 33
Discovery Timeline
- 2021-02-10 - Issue disclosed publicly on the Openwall OSS-Security mailing list
- 2021-02-11 - CVE-2020-35498 published to NVD
- 2025-04-23 - Last updated in NVD database
Technical Details for CVE-2020-35498
Vulnerability Analysis
Open vSwitch uses a two-tier flow caching design. The kernel datapath holds exact-match microflows and wildcarded megaflows, while userspace (ovs-vswitchd) performs full OpenFlow classification and pushes derived megaflows down to the kernel. When userspace parses a packet to compute the matching fields, it must mark every header field that influenced the classification decision so the resulting megaflow only matches packets that should follow the same forwarding path.
The parsing limitation in this vulnerability causes userspace to miss marking certain header fields as relevant. The kernel then installs a megaflow that is wider than intended, meaning it wildcards fields that should have been matched. Subsequent packets that should have taken different forwarding decisions are incorrectly bundled into the same flow, forcing repeated upcalls to userspace, revalidation churn, and CPU exhaustion. Under sustained crafted traffic, the datapath becomes unable to process legitimate traffic.
Root Cause
The root cause is incomplete tracking of packet header fields during userspace parsing. The classifier does not record dependencies on all parsed fields, producing megaflows whose match mask is broader than the forwarding decision actually requires. This violates the invariant that megaflow installation must preserve the same forwarding semantics as full classification.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted packets across any interface attached to a vulnerable Open vSwitch bridge. The crafted packets trigger the parsing flaw, causing overly wide megaflows to be installed. Repeated transmission amplifies the impact, producing sustained CPU consumption in ovs-vswitchd and the kernel datapath until availability is lost.
// No verified public exploit code is available for this vulnerability.
// Refer to the Red Hat Bugzilla entry and Openwall OSS-Security post
// linked in the references for technical discussion of the parsing flaw.
Detection Methods for CVE-2020-35498
Indicators of Compromise
- Sustained high CPU utilization by the ovs-vswitchd process without a corresponding increase in legitimate traffic volume.
- Elevated upcall and revalidator activity visible in ovs-appctl dpctl/show and ovs-appctl upcall/show output.
- Growing kernel datapath flow table with megaflows containing unexpectedly broad wildcard masks.
- Packet drops or latency spikes on bridges handling untrusted ingress traffic.
Detection Strategies
- Inspect installed megaflows with ovs-dpctl dump-flows and flag entries whose masks wildcard fields that should normally be matched for the configured OpenFlow rules.
- Monitor ovs-vswitchd revalidator and handler thread CPU time as a leading indicator of flow cache thrashing.
- Correlate Open vSwitch performance counters with network telemetry to identify traffic patterns that consistently precede availability degradation.
Monitoring Recommendations
- Export ovs-vswitchd coverage counters (facet_revalidate, flow_extract, upcall_flow_limit_hit) to a metrics backend and alert on sudden spikes.
- Track package versions of openvswitch across hypervisor fleets and alert on hosts still running pre-patch builds.
- Capture packet samples on bridge interfaces during CPU anomalies to support post-incident reconstruction of the triggering traffic.
How to Mitigate CVE-2020-35498
Immediate Actions Required
- Apply distribution-supplied Open vSwitch updates on all hypervisors and network nodes, prioritizing hosts exposed to untrusted networks.
- Restart ovs-vswitchd after upgrading so the patched userspace parser is loaded and stale megaflows are flushed.
- Inventory all systems running Open vSwitch, including containerized and embedded deployments, to confirm full coverage.
Patch Information
Fixes are available through vendor advisories including the Debian Security Advisory DSA-4852, the Debian LTS Announcement, the Fedora Package Announcement, and Gentoo GLSA 202311-16. Additional context is available in the Red Hat Bug Report and the Openwall OSS-Security Post.
Workarounds
- Restrict ingress to Open vSwitch bridges using upstream filtering, ACLs, or security groups so untrusted sources cannot reach the parser.
- Apply rate limiting on bridge ports facing untrusted networks to bound the volume of crafted packets reaching ovs-vswitchd.
- Where feasible, tune other_config:flow-limit and revalidator threads to reduce the blast radius of flow cache thrashing while patches are scheduled.
# Example: upgrade Open vSwitch on Debian-based systems
sudo apt-get update
sudo apt-get install --only-upgrade openvswitch-switch openvswitch-common
sudo systemctl restart openvswitch-switch
# Verify installed version after upgrade
ovs-vsctl --version
# Inspect current megaflows and their match masks
sudo ovs-dpctl dump-flows
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
