CVE-2026-34956 Overview
CVE-2026-34956 is a heap access vulnerability in Open vSwitch (OVS) affecting deployments that use connection tracking (conntrack) with File Transfer Protocol (FTP) helpers over the userspace datapath. A remote attacker can transmit a specially crafted FTP stream containing an EPASV command exceeding 255 characters to trigger the flaw. The condition causes a crash in the affected Open vSwitch process, resulting in a Denial of Service (DoS) for the system. The weakness is classified under [CWE-120] (Buffer Copy without Checking Size of Input). The flaw requires no authentication and is reachable across the network, but exploitation depends on a specific OVS configuration involving conntrack flows with FTP application-layer helpers.
Critical Impact
A remote unauthenticated attacker can crash Open vSwitch by sending an oversized FTP EPASV command, disrupting network traffic forwarding for all workloads dependent on the affected datapath.
Affected Products
- Open vSwitch with conntrack flows configured to use FTP helpers
- Open vSwitch deployments running the userspace datapath (netdev)
- Red Hat distributions packaging the affected Open vSwitch versions (see Red Hat advisory)
Discovery Timeline
- 2026-05-05 - CVE-2026-34956 published to the National Vulnerability Database
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-34956
Vulnerability Analysis
Open vSwitch supports application-layer helpers within its conntrack subsystem to track protocols that negotiate secondary connections, such as FTP. When the userspace datapath parses an FTP control channel, the helper inspects commands including PASV and EPASV to extract address and port information for related data connections. The flaw arises when the helper processes an EPASV command whose payload exceeds 255 characters. The oversized input causes a heap access error during parsing, terminating the ovs-vswitchd process and severing dataplane forwarding.
Because Open vSwitch underpins virtual networking in many virtualization, container, and Network Functions Virtualization (NFV) platforms, a crash of the userspace datapath halts traffic for every tenant or workload bound to the affected bridge. The attacker only needs the ability to deliver an FTP stream that traverses a conntrack flow with the FTP helper enabled.
Root Cause
The root cause is improper bounds checking in the FTP helper logic when handling the EPASV command field. Input length is not validated against the destination buffer prior to access, producing the [CWE-120] heap access error. See the Red Hat Bug Report #2453459 for upstream technical details.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker establishes or hijacks an FTP session whose traffic crosses an Open vSwitch bridge configured with ct(alg=ftp) on the userspace datapath. The attacker then issues an EPASV response or command with a payload longer than 255 characters. The malformed stream is parsed by the OVS FTP helper and triggers the crash. Exploitation does not yield code execution or data disclosure but produces a sustained DoS until the service is restarted.
No public proof-of-concept exploit is currently available. Refer to the Openwall OSS Security Discussion for technical context.
Detection Methods for CVE-2026-34956
Indicators of Compromise
- Unexpected termination or repeated restarts of the ovs-vswitchd process on hosts running the userspace datapath
- Crash dumps or core files referencing the FTP conntrack helper code path
- FTP control-channel packets containing EPASV payloads longer than 255 characters traversing OVS bridges
- Sudden loss of network connectivity for virtual machines or containers attached to an affected OVS bridge
Detection Strategies
- Inspect FTP traffic on monitored segments for malformed EPASV commands with abnormal length using deep packet inspection or intrusion detection signatures
- Correlate ovs-vswitchd service crashes with concurrent FTP sessions in centralized logs
- Audit Open vSwitch configurations for flows using ct(alg=ftp) combined with the netdev userspace datapath
Monitoring Recommendations
- Forward systemd and ovs-vswitchd service logs to a centralized logging or SIEM platform and alert on abnormal restart patterns
- Track packet counters and flow drops on conntrack zones handling FTP traffic
- Monitor host-level signals such as segmentation faults from the OVS process via journalctl or kernel logs
How to Mitigate CVE-2026-34956
Immediate Actions Required
- Apply vendor patches for Open vSwitch as soon as they are published by your Linux distribution; review the Red Hat CVE Advisory for fixed package versions
- Inventory all Open vSwitch deployments and identify bridges using the userspace datapath together with FTP conntrack helpers
- Restrict FTP traffic ingress and egress at perimeter firewalls where it is not operationally required
Patch Information
Refer to the Red Hat CVE Advisory and your distribution's security tracker for fixed Open vSwitch package versions. Upstream fixes address the bounds check in the FTP helper parsing routine. After patching, restart ovs-vswitchd to load the corrected code.
Workarounds
- Remove the FTP helper from conntrack flow definitions where it is not required by replacing ct(alg=ftp) with a plain ct action
- Migrate workloads from the userspace (netdev) datapath to the kernel datapath if feasible, since the issue is reported against the userspace path
- Block or proxy FTP traffic through an application-layer gateway that normalizes EPASV command length before it reaches OVS bridges
# Example: list OVS bridges and flows to identify FTP conntrack helper usage
sudo ovs-vsctl show
sudo ovs-ofctl dump-flows <bridge> | grep -i 'alg=ftp'
# Example: remove a flow that uses the FTP helper (adjust match criteria to your environment)
sudo ovs-ofctl del-flows <bridge> "tcp,tp_dst=21"
# Restart ovs-vswitchd after applying vendor patches
sudo systemctl restart openvswitch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
