CVE-2026-49017 Overview
CVE-2026-49017 is an infinite loop vulnerability [CWE-835] in the OpenStack Swift s3api middleware. The flaw exists in the StreamingInput class, which mishandles truncated aws-chunked PUT request bodies. When the class encounters a truncated stream, it repeatedly appends an empty buffer and re-reads, locking the proxy-server worker in an unbounded loop. An authenticated attacker can issue crafted PUT requests to systematically consume every proxy-server worker, producing a denial of service across the object storage cluster. The defect was introduced in Swift 2.36.0 and remains exploitable until upgrades to versions 2.36.2 or 2.37.2.
Critical Impact
Authenticated attackers can permanently hang proxy-server workers, exhausting CPU and memory to fully disable OpenStack Swift object storage availability.
Affected Products
- OpenStack Swift 2.36.0 through 2.36.1
- OpenStack Swift 2.37.0 through 2.37.1
- Deployments using the s3api middleware with aws-chunked upload support
Discovery Timeline
- 2026-05-27 - CVE-2026-49017 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-49017
Vulnerability Analysis
The vulnerability resides in the s3api middleware that provides Amazon S3 API compatibility for OpenStack Swift. The middleware accepts aws-chunked transfer encoding for PUT operations, which streams object data in length-prefixed chunks. The StreamingInput class reads chunks from the client and buffers them for the proxy server.
When a client sends a truncated body, StreamingInput fails to detect end-of-stream and instead appends an empty buffer to its internal queue. The read loop then re-enters, finds the empty buffer, and repeats indefinitely. The proxy-server worker handling the request never returns control to the event loop. CPU usage rises as the loop spins, and memory consumption grows as buffer allocations accumulate.
Proxy-server workers are a finite pool. An authenticated attacker who can submit S3-style PUT requests can occupy every worker by sending a small number of truncated uploads. Once exhausted, no legitimate request can be serviced, producing a full denial of service against the storage tenant.
Root Cause
The root cause is missing termination logic in StreamingInput when the underlying client connection closes before the declared chunk length is satisfied. The class treats an empty read as a transient condition rather than an end-of-stream or error signal, resulting in an unbounded read loop classified as [CWE-835].
Attack Vector
Exploitation requires network reachability to the Swift proxy and valid credentials with permission to issue PUT requests through the s3api endpoint. The attacker initiates an aws-chunked PUT, sends a partial body, and abruptly closes the connection. Repeating this against multiple workers exhausts the pool.
No verified public exploit code is available. Technical details are documented in the Launchpad Bug Report #2152205 and the upstream patches in OpenDev Code Review #987957 and OpenDev Code Review #988093.
Detection Methods for CVE-2026-49017
Indicators of Compromise
- Proxy-server worker processes showing sustained 100% CPU utilization with steadily growing resident memory.
- Multiple long-running PUT requests against s3api endpoints that never complete or log a final status code.
- Client connections to the S3-compatible endpoint that terminate mid-upload immediately before worker hangs begin.
Detection Strategies
- Monitor Swift proxy worker process lifetimes and flag workers exceeding expected request-handling durations.
- Inspect proxy-server.log for PUT requests using aws-chunked transfer encoding that lack matching completion entries.
- Correlate authenticated S3 API sessions with worker exhaustion events to identify the originating account.
Monitoring Recommendations
- Track Swift proxy availability metrics, including active worker count and request queue depth, with alerting on sudden drops.
- Enable per-tenant request-rate metrics on the s3api middleware to surface anomalous PUT patterns.
- Capture process-level CPU and memory telemetry on proxy nodes and alert on sustained anomalies in swift-proxy-server workers.
How to Mitigate CVE-2026-49017
Immediate Actions Required
- Upgrade OpenStack Swift to version 2.36.2 or 2.37.2, which contain the upstream fix.
- Audit credentials with PUT permissions on the s3api endpoint and revoke unused or low-trust accounts.
- Enforce request timeouts and worker recycling on the proxy server to bound the impact of hung workers.
Patch Information
The fix is delivered through two upstream patches: OpenDev Code Review #987957 and OpenDev Code Review #988093. Both are included in Swift 2.36.2 and 2.37.2. The patches add end-of-stream detection in StreamingInput so that truncated aws-chunked bodies raise an error instead of looping. Refer to the Openwall OSS-Security disclosure for the coordinated announcement.
Workarounds
- Disable the s3api middleware in the Swift proxy pipeline if S3 compatibility is not required by tenants.
- Restrict access to the s3api endpoint using network-layer controls until patched versions are deployed.
- Configure aggressive client_timeout values in proxy-server.conf to reduce, though not eliminate, worker hang duration.
# Configuration example: reduce proxy client timeout in proxy-server.conf
[DEFAULT]
client_timeout = 30
[pipeline:main]
# Remove s3api from the pipeline if not required
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache listing_formats tempauth proxy-logging proxy-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
