OpenStack Swift s3api infinite loop causes DoS (pre 2.36.2/2.37.2)
CVE-2026-49017 Published on May 27, 2026
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
Weakness Type
What is an Infinite Loop Vulnerability?
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
CVE-2026-49017 has been classified to as an Infinite Loop vulnerability or weakness.
Products Associated with CVE-2026-49017
Want to know whenever a new CVE is published for OpenStack Swift? stack.watch will email you.
Affected Versions
OpenStack Swift:- Version 2.36.0 and below 2.36.2 is affected.
- Version 2.37.0 and below 2.37.2 is affected.