#1138908 OSSN-0099: Denial of Service in Ironic under reduced process stack size

Package:
src:ironic
Source:
src:ironic
Submitter:
Thomas Goirand
Date:
2026-06-05 22:07:02 UTC
Severity:
normal
Tags:
#1138908#5
Date:
2026-06-05 17:19:15 UTC
From:
To:
https://wiki.openstack.org/wiki/OSSN/OSSN-0099

Summary

An unauthenticated malicious user could submit a specially crafted JSON string
to certain endpoints on the API service or the JSON-RPC endpoint if enabled,
and cause a service crash until the service is restarted. This was due to the
memory allocation exceeding the stack size of the Python runtime due to
Ironic's reduced default stack size prior to the initial payload validation.
Affected Services / Software

    ironic: >=32.0.0, <37.0.0

Discussion

The Ironic project has introduced a customized size check middleware which
looks for excessive and invalid recursive JSON data structures while also
enforcing path awareness and endpoint size limits based upon the intended
patterns of interaction with Ironic.
Recommended Actions

Apply the provided Ironic patches.

Review the newly provided configuration variables defaults in context of your
cluster.

Several options were added related to permitted JSON body sizing. The defaults
should be sufficient for most clouds but can be adjusted:

    '[api]/max_json_body_depth', default 25, will reject requests with JSON
                               documents with more recursion depth than this.
    '[api]/max_json_body_size', default 1024, is the maximum size, in KiB, the
                               API service will accept for any endpoint except
                               the node provision state and continue_inspection
                               endpoints. Requests with a larger content-length
                               will receive an HTTP 413 response.
    '[api]/max_json_body_size_provision', default 65536 (64MiB), is the max
                                         size, in KiB, for the node provision
                                         state endpoint. The larger default is
                                         due to the need to accomodate
                                         configdrives or deploy_steps.
    '[api]/max_json_body_size_inspection', default 16384 (16MiB), is the max
                                          size, in KiB, for the
                                          continue_inspection endpoint. The
                                          larger default is due to the need to
                                          accomodate inspection data from the
                                          ramdisk, which can include system
                                          logs and data larger than normal API
                                          requests.

Operators unable or unwilling to patch their Ironic installations can work
around the issue by increasing the process stack size by setting the
environment variable 'IRONIC_THREAD_STACK_SIZE=8388608' before starting Ironic
services.
Patches

The following reviews contain the fix for this issue:

    2026.2/hibiscus (master): https://review.opendev.org/c/openstack/ironic/+/991717
    2026.1/gazpacho: https://review.opendev.org/c/openstack/ironic/+/991854
    2025.2/flamingo: https://review.opendev.org/c/openstack/ironic/+/991858
    bugfix/34.0: https://review.opendev.org/c/openstack/ironic/+/991856
    bugfix/33.0: https://review.opendev.org/c/openstack/ironic/+/991857

Credits

Dmitry Tantsur, Red Hat Tuomo Tanskanen, Ericsson Software Technology
Metal3.io Security Team Contacts / References

Authors:

Jay Faulkner, G-Research Open Source Software (GR-OSS)

Julia Kreger, Red Hat


    This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0099
    Original Launchpad bug: https://bugs.launchpad.net/ironic/+bug/2154288
    Mailing List : [security-sig] tag on openstack-discuss@lists.openstack.org
    OpenStack Security : https://security.openstack.org/
    CVE: CVE-2026-50589
#1138908#14
Date:
2026-06-05 22:04:35 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 05 Jun 2026 19:14:00 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138908
Changes:
 ironic (1:35.0.1-5) unstable; urgency=medium
 .
   * CVE-2026-50589 / OSSN-0099: Denial of Service in Ironic under reduced
     process stack size. Added upstream patch: "Add JSON body depth and size
     limiting middleware" (Closes: #1138908).
Checksums-Sha1:
 1fb278676edd5ea73420d4aeea398a079da66c11 4063 ironic_35.0.1-5.dsc
 d4b3b0e13a20c7ef0c18ca13590782fcfd80f5ba 42856 ironic_35.0.1-5.debian.tar.xz
 4bac0bfa7845d123994131d3223deafb8a9d3cea 22640 ironic_35.0.1-5_amd64.buildinfo
Checksums-Sha256:
 6b59ca78d9b49ac005eb6d31b411b4b897e26e8aaf9043dfa2bd1a476bbaa0fc 4063 ironic_35.0.1-5.dsc
 ca0e89aedf8e79ce407f05c9be8de634bc1f532b63b7c4788843447aa34e4a26 42856 ironic_35.0.1-5.debian.tar.xz
 b822ce5a282e2cec6258c686d4a9847f1f382271b424f6d968406369b16fa484 22640 ironic_35.0.1-5_amd64.buildinfo
Files:
 dfd17c4e928764e7f9ec543072366904 4063 net optional ironic_35.0.1-5.dsc
 b4782c41d3ba5927053f159786083b02 42856 net optional ironic_35.0.1-5.debian.tar.xz
 da1e72678aca8a584fe1860f1e248c60 22640 net optional ironic_35.0.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmojQowACgkQ1BatFaxr
Q/7Lmw//UaFdGFeujpqcwCfP9Izwfn1c6tabI+UUVDUc70VWin0zICb8Uy6LO/mR
SbEfJaGV13pqFnZqWMzjdRpiJv9r+aCDsB/EV29kCqdWiXSf3qDc5VAu5OpWnFtz
ZNrbIm86ie7cGlxQwD6gJk3+IdQcbOOC0iSS/IesnMOr0DUxM1M2/KO07QgqxFaN
GJJQluB6oReSdDJX8wytGSESS79XgvnRODfYOS89xbR+XM4tiQ3Gc/b/pAGtQyoy
uZaSjcFgmv5FKXODik3NsoEJ2cCcj6oCpa4uDiTaM9fKQWQNJT2HPnpzm0z66O40
Um01oISgdjj8KC+JbC1Ey77F8G189x106ESpGB4MDeiHC96eibZlf3DwkkEZVsXh
P+QvPsgZtL/FMT1Jxg4PkjlRqbb3asiVzs+LaQmcWhviEN1qKsvF//4eN2rEseUE
4OQCM9S9vhTuDKZ0ImWWDAsDQMQJau0dFmLUFGEA2b0QQ8jpX0HotiTjxyzW/w8o
OeA7LGIJLi3Hk77B34AA5Gg3Qb6tz1YSqx0odkeUHR7uBr6zg/DZC6Rrf9f/3Cl5
DrxWeE3Da82yT0BjfG/Iet+lbflVDiHefTnpxAi+J/z2Xft0eFWnWLD8JPH/4c/Y
/KUh209L4hIRIrhlxbhSM/wT5em+qKaAFSEpEJ4msrgpDBZk2mQ=
=Mb/x
-----END PGP SIGNATURE-----