- Package:
- src:openvswitch
- Source:
- src:openvswitch
- Submitter:
- Thomas Goirand
- Date:
- 2026-04-14 19:13:01 UTC
- Severity:
- normal
- Tags:
Copying [ovs-announce] [ADVISORY] CVE-2026-34956: Open vSwitch: Invalid memory access in conntrack FTP alg. Description =========== Multiple versions of Open vSwitch are vulnerable to crafted FTP payloads causing invalid memory accesses, potential denial of service, and possible remote code execution. This impacts the userspace implementation of conntrack. Triggering the vulnerability requires that Open vSwitch has configured conntrack flows specifying the FTP alg handler. Conntrack handlers in userspace are not automatically applied. The issue is caused by type narrowing when copying FTP substrings. It has existed in all versions of the userspace conntrack supporting the FTP handler. This was introduced with Open vSwitch version 2.8.0 and affects all versions up to 3.7.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned CVE-2026-34956 identifier to this issue. At the time of writing the flaw is considered with Moderate impact and 5.9 CVSS. Mitigation ========== For any affected version of Open vSwitch, avoiding the FTP alg will prevent the issue from triggering. The Open vSwitch team does not recommend attempting to mitigate the vulnerability this way because it may impact packet forwarding. By default, alg handlers are not installed, and must be added as part of the OpenFlow rules (via 'ct(alg=ftp)' for example). Users can check if they are using affected flows by looking at their OpenFlow ruleset for their bridges, for example: ovs-ofctl dump-flows <bridge> | grep 'alg=ftp' We have found that Open vSwitch may be subject to heap corruption when processing FTP messages. Fix === Patches to fix this vulnerability in Open vSwitch 3.3 and newer are applied to the appropriate branches, and the original patch is located at: https://mail.openvswitch.org/pipermail/ovs-dev/2026-March/431425.html Recommendation ============== We recommend that users of Open vSwitch apply the included patch, or upgrade to a known patched version of Open vSwitch. These include: * 3.3.9 * 3.4.6 * 3.5.4 * 3.6.3 * 3.7.1 Acknowledgements ================ The Open vSwitch team wishes to thank the reporter: * Seiji Sakurai <Seiji.Sakurai@outlook.com>
Hello, Bug #1132449 in openvswitch reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/0d5833e8bae3e9a25a8bbced6534baa3a4c498fe ------------------------------------------------------------------------ * New upstream release: - Addresses CVE-2026-34956: Open vSwitch: Invalid memory access in conntrack FTP alg (Closes: #1132449). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1132449
Hello, Bug #1132449 in openvswitch reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/9dc13eaffeca7687de398d510d9a4d3ffc8de22e ------------------------------------------------------------------------ * CVE-2026-34956: Invalid memory access in conntrack FTP alg. Applied upstream patch: conntrack: Fix replace_substring to handle larger packets. (Closes: #1132449). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1132449
We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1132449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated openvswitch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 01 Apr 2026 11:05:04 +0200
Source: openvswitch
Architecture: source
Version: 3.7.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1132449
Changes:
openvswitch (3.7.1-1) unstable; urgency=high
.
* New upstream release:
- Addresses CVE-2026-34956: Open vSwitch: Invalid memory access in
conntrack FTP alg (Closes: #1132449).
* Removed patches applied upstream:
- tests-Make-routing-rules-checks-more-resilient.patch
- ovs-router-Fix-disable-system-route-rules-filter.patch
- ovs-router-Fix-locking-in-ovs_router_rule_add.patch
Checksums-Sha1:
acc0ab67bd0ed0390f8e77f78b91865cfcac0ae8 3727 openvswitch_3.7.1-1.dsc
5860e9f5d26be4d3256dd7addf0d22d7bbc051f8 5853592 openvswitch_3.7.1.orig.tar.xz
1488114a0defd0ef85dadaefc24f9f19e0dc3610 72396 openvswitch_3.7.1-1.debian.tar.xz
fb49189823956b2706966582ef842a1e778d74b3 24683 openvswitch_3.7.1-1_amd64.buildinfo
Checksums-Sha256:
e71c167509b52e71c2fd0b80778e23966d4a852c605808fa1a75f576e95f5277 3727 openvswitch_3.7.1-1.dsc
01c8166378fb8db1d1a1c32c187f62a8bacc5c2ae114e8652f91d6dc4f39470c 5853592 openvswitch_3.7.1.orig.tar.xz
d3975acbb919ee7688b6fdb968d49966cbb5293a4dee92ca452b7cc58a2e3e7e 72396 openvswitch_3.7.1-1.debian.tar.xz
076a57af31fd14aeaf955673d1640b91bcb6b311733cb1a79fc687ed6c298be6 24683 openvswitch_3.7.1-1_amd64.buildinfo
Files:
0d0ddad1e488e37b2f1709b2dbd86a23 3727 net optional openvswitch_3.7.1-1.dsc
55b1b4297bc491c92e4a1a9e10227b81 5853592 net optional openvswitch_3.7.1.orig.tar.xz
8be86bfd1500aa0367c17eec3ea8b43d 72396 net optional openvswitch_3.7.1-1.debian.tar.xz
d33d0f9a920cedd5f05439195d349b89 24683 net optional openvswitch_3.7.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmnM4VsACgkQ1BatFaxr
Q/5g3hAAno6LpBriO8WE3yP6FbmfV0kboxDnhqgIJEe1HcXnWzStNY52a6jnwTyL
qCD0mJZGCLm8TDRCT4aOTYcHAdESMIpdf1Ge5EpFqcN7Z1eXaanW/D6IxN0cvPXm
p3X/mXjhQUGeN9Qpk5Mpnnep8cWkk4vO0zWKlRPtux3n9Mn1lHsdxgWUL9lV8iQx
9fquwBIeOryLY7h9dtqGHd4yM3htdLTvsc2FB1cVusYLMyLG/2wDQ26ITvbmCrgE
29PmR407srzc7VEeR5C0q/oD+E4YV6FrCJkipHVehK5NatdwjlN8Z/dONtI5tvOm
xXxcjhrEpTF10v998W8yKmCDCGzYsJmadXwxgel9qR1jNyHKPq+4RkS/nLtRC33v
VmT/RBh8wUtFmiyFl8FiGFtEKf5rlNeBR+cOInCxHCG8CeZgh6YiQxaQxMZXMVYP
+N2viFWGL9jkFPuAEx0EmpgKqREQpYUK6ELVDRpq3E8YM05Y7A8d8LEWNY1MnT5R
PdHtmOZWdhDjGEGPl1aMpXSnxqe5NS/ozRjHuppPImTKvi5WkhkERKNuC0KlJtNS
vzmwH/4a8gHpCWiHSaxkODmP7B0tMWXDxAJrjQKladl2m5ncPejBIvFj4nVtmLnG
fDggGtQNlLujs5qaOkSvmUmH5pKOJKgiFe38O8mDAYCJWLIOuFE=
=i8w9
-----END PGP SIGNATURE-----