CVE-2026-36501
Deferred Deferred - Pending Action

Denial of Service in Controller v12.0.5 via readExternal

Vulnerability report for CVE-2026-36501, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-09

Assigner: MITRE

Description

An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-09
Generated
2026-07-17
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
opendaylight controller 12.0.5
opendaylight controller From 11.0.0 (inc) to 11.0.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-36501 vulnerability affects OpenDayLight (ODL) version 12.0.5, specifically in its Raft implementation within the Externalizable.readExternal() component.

The issue arises because three Externalizable classes (AE, SS, and ServerConfigurationPayload) call `in.readInt()` and pass the result directly to `ImmutableList.builderWithExpectedSize(size)` without any bounds checking.

An attacker with access to port 2550 can exploit this by joining the ODL Pekko cluster and sending a crafted AppendEntries (AE) message with `entryCount` set to `Integer.MAX_VALUE`. This causes a massive memory allocation attempt (~16 GB), leading to an OutOfMemoryError and forcing the JVM to shut down.

This results in a denial of service (DoS) for the ODL controller.

The recommended fix is to add bounds checking before calling `builderWithExpectedSize()` in the affected classes.

Detection Guidance

The vulnerability can be detected by monitoring network traffic on port 2550 for suspicious AppendEntries (AE) messages with unusually large entryCount values, especially those set to Integer.MAX_VALUE.

Since the exploit involves sending a crafted AppendEntries message to join the ODL Pekko cluster, detection can focus on identifying such malformed messages.

While no specific commands are provided, you can use network monitoring tools like tcpdump or Wireshark to capture traffic on port 2550 and analyze the payloads for abnormal entryCount values.

  • Example tcpdump command to capture traffic on port 2550: tcpdump -i <interface> port 2550 -w capture.pcap
  • Use Wireshark to open capture.pcap and inspect AppendEntries messages for suspiciously large entryCount fields.
Impact Analysis

This vulnerability can cause a denial of service (DoS) condition on the OpenDayLight controller by forcing the Java Virtual Machine (JVM) to shut down due to an OutOfMemoryError.

An attacker exploiting this issue can send a specially crafted message that triggers a large memory allocation, exhausting system resources.

As a result, the controller becomes unavailable, potentially disrupting network management and infrastructure services that depend on it.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-36501 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate mitigation step is to apply bounds checking before calling builderWithExpectedSize() in the affected Externalizable classes (AE, SS, and ServerConfigurationPayload) to prevent excessive memory allocation.

Since the vulnerability is exploited by sending crafted AppendEntries messages to port 2550, restricting or monitoring access to this port can help reduce exposure.

Additionally, updating to a fixed version of the OpenDaylight Controller where this issue is patched is recommended once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart