Denial of Service Vulnerability in Open vSwitch Affected by FTP Command
CVE-2026-34956

5.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Fast Datapath For Rhel 7; Fast Datapath For Rhel 8; Fast Datapath For Rhel 9; Red Hat Enterprise Linux 7
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-34956?

A vulnerability exists in Open vSwitch that affects systems configured with conntrack flow using FTP helpers over the userspace datapath. By sending a specially crafted FTP stream containing an EPASV command with a length exceeding 255 characters, a remote attacker could trigger a heap access error. This flaw can subsequently lead to system crashes, resulting in Denial of Service for the impacted environment. Appropriate measures should be taken to secure affected systems against this potential attack vector.

References

https://access.redhat.com/security/cve/CVE-2026-34956

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2453459

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Red Hat would like to thank Seiji Sakurai for reporting this issue.

CVE-2026-34956 Data

JSON