CVE-2026-34956
Heap Overflow in Open vSwitch FTP Conntrack Flow
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvswitch | open_vswitch | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34956 is a vulnerability in Open vSwitch related to the handling of FTP EPASV commands. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream containing an EPASV command that exceeds 255 characters. This causes a heap access error which can crash the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining OpenFlow rulesets for flows that use the FTP alg helper, as the vulnerability occurs only when Open vSwitch is configured with conntrack flows specifying the FTP alg handler.
To detect if your Open vSwitch setup is vulnerable, you should check for OpenFlow rules containing 'alg=ftp'. This indicates that the FTP helper is enabled and the system could be exposed to the vulnerability.
A suggested command to check for such flows is to use ovs-ofctl to dump flows and grep for 'alg=ftp'. For example:
- ovs-ofctl dump-flows <bridge-name> | grep alg=ftp
If such flows are present, the system is potentially vulnerable unless patched or upgraded. Additionally, monitoring FTP traffic for EPASV commands exceeding 255 characters could help detect exploitation attempts, though specific commands for this are not provided in the resources.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on the affected system. Specifically, the heap access error triggered by the malicious EPASV command causes Open vSwitch to crash, disrupting network operations and potentially causing downtime for systems relying on Open vSwitch.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid using Open vSwitch configured with conntrack flows using FTP helpers over the userspace datapath until a fix is available.
Since no fixed version is currently assigned, consider disabling or restricting FTP helper usage in Open vSwitch configurations to prevent processing of EPASV commands exceeding 255 characters.
Monitor updates from Open vSwitch and your Linux distribution for patches addressing this issue.