MEDIUM 6.5

CVE-2026-36499: Open vSwitch Thread Allocation DoS Vulnerability

Open vSwitch v3.6.90 contains a flaw that allows someone with write access to its configuration database to cause the software to allocate an unreasonably large number of worker threads. By requesting more threads than the system can handle, an attacker can exhaust memory and CPU resources, effectively shutting down the switch. The vulnerability requires existing database access, limiting the immediate threat surface, but represents a significant availability risk in environments where OVSDB write permissions are not tightly controlled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-770
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service (DoS) via resource exhaustion.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The udpif_set_threads() function in Open vSwitch v3.6.90 lacks an upper-bound validation check on thread allocation requests submitted via OVSDB. An authenticated attacker can craft OVSDB write commands specifying an excessive number of handler or revalidation threads. The absence of boundary enforcement permits resource exhaustion at the kernel and application level, leading to denial of service. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).

Business impact

An internal or compromised user with OVSDB write privileges can render Open vSwitch instances unavailable, disrupting network packet forwarding and flow control. In production environments relying on Open vSwitch for SDN, network virtualization, or NFV deployments, an outage directly impacts service continuity. Recovery requires manual intervention to restart the affected switch instance. The threat is heightened in multi-tenant environments or where OVSDB access control is not strictly segmented.

Affected systems

Open vSwitch v3.6.90 is confirmed affected. The vulnerability is tied to a specific function in the datapath interface module and likely affects other 3.6.x versions, though only v3.6.90 is explicitly referenced in the published advisory. Deployments running earlier major versions should be assessed for similar patterns in their thread management code. Verify vendor advisories for a complete list of affected releases and recommended upgrade targets.

Exploitability

Exploitation requires OVSDB write access, a prerequisite that typically means the attacker is either an authenticated local user, a compromised service with database permissions, or an unauthenticated remote user who has already breached network perimeter controls to reach the OVSDB management interface. While the technical barrier to trigger the flaw is low—a single malformed configuration command—the access requirement prevents mass exploitation. The CVSS score of 6.5 (MEDIUM) reflects this trade-off: high impact to availability balanced against a requirement for legitimate database credentials.

Remediation

Patch Open vSwitch to the first maintenance release after v3.6.90 that includes bounds checking in udpif_set_threads(). Verify the specific patched version against the official Open vSwitch project release notes. In the interim, restrict OVSDB write permissions to a minimal set of trusted administrators and services, and monitor OVSDB command logs for anomalous thread allocation requests. Consider network segmentation to limit who can reach the OVSDB management port (default TCP 6640).

Patch guidance

Check the Open vSwitch project repository and security advisories for a patched release that addresses the thread allocation bounds check. Apply patches following your standard change management procedures, typically involving testing in a non-production environment first. Confirm the patched version in release notes before deploying to production. If an upgrade timeline cannot be met immediately, enforce strict access controls on OVSDB write operations as a temporary compensating control.

Detection guidance

Monitor OVSDB transaction logs and API calls for requests to set thread counts to unusually high values (e.g., values exceeding 10x normal worker thread counts or system CPU core count). Watch for correlated spikes in memory consumption and thread count on affected Open vSwitch processes. Host-level metrics such as vm.max_map_count exhaustion or page allocation failures may indicate active exploitation. Network IDS signatures for suspicious OVSDB protocol patterns can also flag malicious configuration submissions.

Why prioritize this

Although the CVSS score is MEDIUM (6.5), this vulnerability merits prompt attention because (1) Open vSwitch is foundational infrastructure in many cloud and NFV deployments, (2) an outage has direct business continuity impact, (3) the fix is straightforward and patches are expected to be available, and (4) the attack surface is narrow but not negligible if OVSDB access controls are misconfigured. Prioritize patching for production switches; non-critical lab or test instances can follow a standard maintenance cycle.

Risk score, explained

CVSS 3.1 score of 6.5 reflects MEDIUM severity: attack vector is network-accessible (AV:N), configuration is uncomplicated (AC:L), an authenticated user privilege is required (PR:L), no user interaction is needed (UI:N), scope is unchanged (S:U), and confidentiality and integrity remain intact (C:N/I:N) but availability is severely impacted (A:H). The privilege requirement and absence of confidentiality/integrity loss prevent a higher score, but the high availability impact keeps it in the MEDIUM to upper-MEDIUM range.

Frequently asked questions

Does this vulnerability allow unauthenticated remote code execution?

No. The flaw is strictly a denial of service via resource exhaustion. It does not permit arbitrary code execution, and it requires prior OVSDB write access, which is not available to unauthenticated remote users by default.

What versions of Open vSwitch are at risk?

Open vSwitch v3.6.90 is confirmed affected. Other versions in the 3.6.x series should be evaluated; consult the official Open vSwitch security advisory and your vendor's product-specific guidance for a complete version list.

Can I work around this without patching?

Yes, temporarily. Enforce strong access controls on OVSDB, restrict write permissions to trusted administrators only, and monitor thread allocation requests. However, this is a compensating control, not a permanent fix. Plan a patch deployment at your earliest convenience.

How long does an outage last if this is exploited?

The affected Open vSwitch process will become resource-starved and may hang or crash. Recovery requires manual restart of the process or the entire switch instance. The duration depends on your monitoring and incident response procedures; outages can range from minutes (if detected and restarted quickly) to hours.

This analysis is based on published vulnerability information as of the date listed. Patch availability, affected version scope, and vendor timelines may change. Always verify details against official vendor advisories before taking action. No warranty is expressed or implied regarding the completeness or accuracy of this guidance. SEC.co recommends independent security assessment of your specific Open vSwitch deployment and access control posture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).