CVE-2026-36501
Denial of Service in Controller v12.0.5 via readExternal
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opendaylight | controller | 12.0.5 |
| opendaylight | controller | From 11.0.0 (inc) to 11.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-36501 vulnerability affects OpenDayLight (ODL) version 12.0.5, specifically in its Raft implementation within the Externalizable.readExternal() component.
The issue arises because three Externalizable classes (AE, SS, and ServerConfigurationPayload) call `in.readInt()` and pass the result directly to `ImmutableList.builderWithExpectedSize(size)` without any bounds checking.
An attacker with access to port 2550 can exploit this by joining the ODL Pekko cluster and sending a crafted AppendEntries (AE) message with `entryCount` set to `Integer.MAX_VALUE`. This causes a massive memory allocation attempt (~16 GB), leading to an OutOfMemoryError and forcing the JVM to shut down.
This results in a denial of service (DoS) for the ODL controller.
The recommended fix is to add bounds checking before calling `builderWithExpectedSize()` in the affected classes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-36501 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition on the OpenDayLight controller by forcing the Java Virtual Machine (JVM) to shut down due to an OutOfMemoryError.
An attacker exploiting this issue can send a specially crafted message that triggers a large memory allocation, exhausting system resources.
As a result, the controller becomes unavailable, potentially disrupting network management and infrastructure services that depend on it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by monitoring network traffic on port 2550 for suspicious AppendEntries (AE) messages with unusually large entryCount values, especially those set to Integer.MAX_VALUE.
Since the exploit involves sending a crafted AppendEntries message to join the ODL Pekko cluster, detection can focus on identifying such malformed messages.
While no specific commands are provided, you can use network monitoring tools like tcpdump or Wireshark to capture traffic on port 2550 and analyze the payloads for abnormal entryCount values.
- Example tcpdump command to capture traffic on port 2550: tcpdump -i <interface> port 2550 -w capture.pcap
- Use Wireshark to open capture.pcap and inspect AppendEntries messages for suspiciously large entryCount fields.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply bounds checking before calling builderWithExpectedSize() in the affected Externalizable classes (AE, SS, and ServerConfigurationPayload) to prevent excessive memory allocation.
Since the vulnerability is exploited by sending crafted AppendEntries messages to port 2550, restricting or monitoring access to this port can help reduce exposure.
Additionally, updating to a fixed version of the OpenDaylight Controller where this issue is patched is recommended once available.