OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body
High severity
GitHub Reviewed
Published
May 27, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Package
Affected versions
>= 2.36.0, <= 2.36.1
>= 2.37.0, <= 2.37.1
Patched versions
None
Description
Published by the National Vulnerability Database
May 27, 2026
Published to the GitHub Advisory Database
May 27, 2026
Reviewed
Jul 1, 2026
Last updated
Jul 1, 2026
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
References