Skip to main content

Open vSwitch CVE-2026-36499

| EUVDEUVD-2026-34317 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-04 mitre GHSA-87x4-f37w-27p2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 21:33 vuln.today
CVSS changed
Jun 04, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service (DoS) via resource exhaustion.

AnalysisAI

Resource exhaustion in Open vSwitch v3.6.90 allows an authenticated attacker with OVSDB write access to crash the virtual switch by requesting an unbounded number of handler or revalidation threads via a missing upper-bound check in the udpif_set_threads() function. The SSVC framework confirms a proof-of-concept exploit exists, though the vulnerability is not listed in CISA KEV and automated mass exploitation is assessed as unlikely due to the required management-plane authentication. With CVSS 6.5 and impact limited to availability, this is a moderate-priority finding that becomes high-priority in environments where OVSDB write access is broadly granted or inadequately segmented.

Technical ContextAI

Open vSwitch (OVS) is a production-grade open-source virtual switch widely deployed in SDN environments including OpenStack, Kubernetes (via OVN), and major cloud platforms. The OVSDB (Open vSwitch Database) protocol governs runtime configuration of OVS components. The vulnerable function udpif_set_threads() accepts thread count parameters submitted via OVSDB write operations and passes them to the underlying threading subsystem without validating an upper bound. This maps directly to CWE-770 (Allocation of Resources Without Limits or Throttling): the function trusts the caller-supplied integer without clamping it, enabling unbounded thread and memory allocation until the host is exhausted. The CPE string in the source data (cpe:2.3:a:n/a:n/a) is non-informative; the affected product and version are established solely by the CVE description identifying Open vSwitch v3.6.90. The GitHub reference at https://github.com/majdlatah/OVS-Other-Config-Bug is associated with the reported bug, likely containing proof-of-concept or issue reproduction details.

RemediationAI

No vendor-released patched version has been identified in the available intelligence - the upstream fix, if merged, would be tracked at https://github.com/majdlatah/OVS-Other-Config-Bug, but a tagged release containing the fix has not been independently confirmed; operators should monitor that reference and the official Open vSwitch release channel for a corrective release. As an immediate compensating control, restrict OVSDB write access to the minimum set of trusted management hosts using network-level ACLs or OVSDB role-based access controls, reducing the attack surface to only authorized orchestration systems; note that overly tight restrictions may break automated provisioning workflows. Additionally, deploy monitoring or alerting on OVSDB transactions that set anomalously large thread count values in the other_config or related keys, enabling detection before resource exhaustion occurs. On hypervisor or container host deployments, applying OS-level thread limits (e.g., ulimit -u) to the ovs-vswitchd process can serve as a safety net that bounds the blast radius, though this may cause thread allocation failures under legitimate high-load conditions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-36499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy