CVE-2026-34956
Awaiting Analysis Awaiting Analysis - Queue
Heap Overflow in Open vSwitch FTP Conntrack Flow

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Red Hat, Inc.

Description
A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34956
EUVD
EUVD-2026-27345
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openvswitch open_vswitch *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34956 is a vulnerability in Open vSwitch related to the handling of FTP EPASV commands. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream containing an EPASV command that exceeds 255 characters. This causes a heap access error which can crash the system.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition on the affected system. Specifically, the heap access error triggered by the malicious EPASV command causes Open vSwitch to crash, disrupting network operations and potentially causing downtime for systems relying on Open vSwitch.

Mitigation Strategies

To mitigate this vulnerability, you should avoid using Open vSwitch configured with conntrack flows using FTP helpers over the userspace datapath until a fix is available.

Since no fixed version is currently assigned, consider disabling or restricting FTP helper usage in Open vSwitch configurations to prevent processing of EPASV commands exceeding 255 characters.

Monitor updates from Open vSwitch and your Linux distribution for patches addressing this issue.

Detection Guidance

This vulnerability can be detected by examining OpenFlow rulesets for flows that use the FTP alg helper, as the vulnerability occurs only when Open vSwitch is configured with conntrack flows specifying the FTP alg handler.

To detect if your Open vSwitch setup is vulnerable, you should check for OpenFlow rules containing 'alg=ftp'. This indicates that the FTP helper is enabled and the system could be exposed to the vulnerability.

A suggested command to check for such flows is to use ovs-ofctl to dump flows and grep for 'alg=ftp'. For example:

  • ovs-ofctl dump-flows <bridge-name> | grep alg=ftp

If such flows are present, the system is potentially vulnerable unless patched or upgraded. Additionally, monitoring FTP traffic for EPASV commands exceeding 255 characters could help detect exploitation attempts, though specific commands for this are not provided in the resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart