CVE-2026-36501
Deferred Deferred - Pending Action
Denial of Service in Controller v12.0.5 via readExternal

Publication date: 2026-06-05

Last updated on: 2026-06-09

Assigner: MITRE

Description
An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-09
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-36501
EUVD
EUVD-2026-34867
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opendaylight controller 12.0.5
opendaylight controller From 11.0.0 (inc) to 11.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-36501 vulnerability affects OpenDayLight (ODL) version 12.0.5, specifically in its Raft implementation within the Externalizable.readExternal() component.

The issue arises because three Externalizable classes (AE, SS, and ServerConfigurationPayload) call `in.readInt()` and pass the result directly to `ImmutableList.builderWithExpectedSize(size)` without any bounds checking.

An attacker with access to port 2550 can exploit this by joining the ODL Pekko cluster and sending a crafted AppendEntries (AE) message with `entryCount` set to `Integer.MAX_VALUE`. This causes a massive memory allocation attempt (~16 GB), leading to an OutOfMemoryError and forcing the JVM to shut down.

This results in a denial of service (DoS) for the ODL controller.

The recommended fix is to add bounds checking before calling `builderWithExpectedSize()` in the affected classes.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition on the OpenDayLight controller by forcing the Java Virtual Machine (JVM) to shut down due to an OutOfMemoryError.

An attacker exploiting this issue can send a specially crafted message that triggers a large memory allocation, exhausting system resources.

As a result, the controller becomes unavailable, potentially disrupting network management and infrastructure services that depend on it.

Detection Guidance

The vulnerability can be detected by monitoring network traffic on port 2550 for suspicious AppendEntries (AE) messages with unusually large entryCount values, especially those set to Integer.MAX_VALUE.

Since the exploit involves sending a crafted AppendEntries message to join the ODL Pekko cluster, detection can focus on identifying such malformed messages.

While no specific commands are provided, you can use network monitoring tools like tcpdump or Wireshark to capture traffic on port 2550 and analyze the payloads for abnormal entryCount values.

  • Example tcpdump command to capture traffic on port 2550: tcpdump -i <interface> port 2550 -w capture.pcap
  • Use Wireshark to open capture.pcap and inspect AppendEntries messages for suspiciously large entryCount fields.
Mitigation Strategies

The immediate mitigation step is to apply bounds checking before calling builderWithExpectedSize() in the affected Externalizable classes (AE, SS, and ServerConfigurationPayload) to prevent excessive memory allocation.

Since the vulnerability is exploited by sending crafted AppendEntries messages to port 2550, restricting or monitoring access to this port can help reduce exposure.

Additionally, updating to a fixed version of the OpenDaylight Controller where this issue is patched is recommended once available.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-36501 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart