GHSA-g7jq-j257-rww2
OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body
Details
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
Are you affected?
Enter the version of the package you're using.
Affected packages
2.36.0 No fixed version published yet for swift (pip). Pin to a known-safe version or switch to an alternative.
2.37.0 No fixed version published yet for swift (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-49017 [ADVISORY]
- https://bugs.launchpad.net/bugs/2152205 [WEB]
- https://github.com/openstack/swift [PACKAGE]
- https://review.opendev.org/c/openstack/swift/+/987957 [WEB]
- https://review.opendev.org/c/openstack/swift/+/988093 [WEB]
- http://www.openwall.com/lists/oss-security/2026/05/27/9 [WEB]
- http://www.openwall.com/lists/oss-security/2026/06/02/6 [WEB]