Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f7t8qb7enen.fsf@redhat.com>
Date: Tue, 31 Mar 2026 16:48:00 -0400
From: Aaron Conole <aconole@...hat.com>
To: ovs-announce@...nvswitch.org, oss-security@...ts.openwall.com
Subject: [ADVISORY] CVE-2026-34956: Open vSwitch: Invalid memory access in
 conntrack FTP alg.

Description
===========

Multiple versions of Open vSwitch are vulnerable to crafted FTP payloads
causing invalid memory accesses, potential denial of service, and possible
remote code execution.  This impacts the userspace implementation of
conntrack.  Triggering the vulnerability requires that Open vSwitch has
configured conntrack flows specifying the FTP alg handler.  Conntrack
handlers in userspace are not automatically applied.

The issue is caused by type narrowing when copying FTP substrings.  It
has existed in all versions of the userspace conntrack supporting the
FTP handler.  This was introduced with Open vSwitch version 2.8.0 and
affects all versions up to 3.7.0.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned CVE-2026-34956 identifier to this issue.  At the time of writing
the flaw is considered with Moderate impact and 5.9 CVSS.


Mitigation
==========

For any affected version of Open vSwitch, avoiding the FTP alg will
prevent the issue from triggering.  The Open vSwitch team does not
recommend attempting to mitigate the vulnerability this way because it
may impact packet forwarding.

By default, alg handlers are not installed, and must be added as part
of the OpenFlow rules (via 'ct(alg=ftp)' for example).

Users can check if they are using affected flows by looking at their
OpenFlow ruleset for their bridges, for example:

   ovs-ofctl dump-flows <bridge> | grep 'alg=ftp'

We have found that Open vSwitch may be subject to heap corruption when
processing FTP messages.


Fix
===

Patches to fix this vulnerability in Open vSwitch 3.3 and newer are
applied to the appropriate branches, and the original patch is located
at:

   https://mail.openvswitch.org/pipermail/ovs-dev/2026-March/431425.html


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 3.3.9
* 3.4.6
* 3.5.4
* 3.6.3
* 3.7.1


Acknowledgements
================

The Open vSwitch team wishes to thank the reporter:

  * Seiji Sakurai <Seiji.Sakurai@...look.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.