An update for openvswitch is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1872 Final 1.0 1.0 2026-04-11 Initial 2026-04-11 2026-04-11 openEuler SA Tool V1.0 2026-04-11 openvswitch security update An update for openvswitch is now available for openEuler-24.03-LTS-SP1 Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fix(es): ["Description\n===========\n\nMultiple versions of Open vSwitch are vulnerable to crafted FTP payloads\ncausing invalid memory accesses, potential denial of service, and possible\nremote code execution. This impacts the userspace implementation of\nconntrack. Triggering the vulnerability requires that Open vSwitch has\nconfigured conntrack flows specifying the FTP alg handler. Conntrack\nhandlers in userspace are not automatically applied.\n\nThe issue is caused by type narrowing when copying FTP substrings. It\nhas existed in all versions of the userspace conntrack supporting the\nFTP handler. This was introduced with Open vSwitch version 2.8.0 and\naffects all versions up to 3.7.0.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned CVE-2026-34956 identifier to this issue. At the time of writing\nthe flaw is considered with Moderate impact and 5.9 CVSS.\n\n\nMitigation\n==========\n\nFor any affected version of Open vSwitch, avoiding the FTP alg will\nprevent the issue from triggering. The Open vSwitch team does not\nrecommend attempting to mitigate the vulnerability this way because it\nmay impact packet forwarding.\n\nBy default, alg handlers are not installed, and must be added as part\nof the OpenFlow rules (via 'ct(alg=ftp)' for example).\n\nUsers can check if they are using affected flows by looking at their\nOpenFlow ruleset for their bridges, for example:\n\n ovs-ofctl dump-flows <bridge> | grep 'alg=ftp'\n\nWe have found that Open vSwitch may be subject to heap corruption when\nprocessing FTP messages.\n\n\nFix\n===\n\nPatches to fix this vulnerability in Open vSwitch 3.3 and newer are\napplied to the appropriate branches, and the original patch is located\nat:", 'Recommendation\n==============\n\nWe recommend that users of Open vSwitch apply the included patch, or\nupgrade to a known patched version of Open vSwitch. These include:\n\n* 3.3.9\n* 3.4.6\n* 3.5.4\n* 3.6.3\n* 3.7.1\n\n\nAcknowledgements\n================\n\nThe Open vSwitch team wishes to thank the reporter:\n\n * Seiji Sakurai <Seiji.Sakurai () outlook com>'](CVE-2026-34956) An update for openvswitch is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium openvswitch https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1872 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34956 https://nvd.nist.gov/vuln/detail/CVE-2026-34956 openEuler-24.03-LTS-SP1 network-scripts-openvswitch-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-debuginfo-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-debugsource-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-devel-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-dpdk-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-ipsec-3.2.1-5.oe2403sp1.aarch64.rpm openvswitch-testcontroller-3.2.1-5.oe2403sp1.aarch64.rpm python3-openvswitch-3.2.1-5.oe2403sp1.aarch64.rpm network-scripts-openvswitch-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-debuginfo-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-debugsource-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-devel-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-dpdk-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-ipsec-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-testcontroller-3.2.1-5.oe2403sp1.x86_64.rpm python3-openvswitch-3.2.1-5.oe2403sp1.x86_64.rpm openvswitch-3.2.1-5.oe2403sp1.src.rpm openvswitch-test-3.2.1-5.oe2403sp1.noarch.rpm ["Description\n===========\n\nMultiple versions of Open vSwitch are vulnerable to crafted FTP payloads\ncausing invalid memory accesses, potential denial of service, and possible\nremote code execution. This impacts the userspace implementation of\nconntrack. Triggering the vulnerability requires that Open vSwitch has\nconfigured conntrack flows specifying the FTP alg handler. Conntrack\nhandlers in userspace are not automatically applied.\n\nThe issue is caused by type narrowing when copying FTP substrings. It\nhas existed in all versions of the userspace conntrack supporting the\nFTP handler. This was introduced with Open vSwitch version 2.8.0 and\naffects all versions up to 3.7.0.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned CVE-2026-34956 identifier to this issue. At the time of writing\nthe flaw is considered with Moderate impact and 5.9 CVSS.\n\n\nMitigation\n==========\n\nFor any affected version of Open vSwitch, avoiding the FTP alg will\nprevent the issue from triggering. The Open vSwitch team does not\nrecommend attempting to mitigate the vulnerability this way because it\nmay impact packet forwarding.\n\nBy default, alg handlers are not installed, and must be added as part\nof the OpenFlow rules (via 'ct(alg=ftp)' for example).\n\nUsers can check if they are using affected flows by looking at their\nOpenFlow ruleset for their bridges, for example:\n\n ovs-ofctl dump-flows <bridge> | grep 'alg=ftp'\n\nWe have found that Open vSwitch may be subject to heap corruption when\nprocessing FTP messages.\n\n\nFix\n===\n\nPatches to fix this vulnerability in Open vSwitch 3.3 and newer are\napplied to the appropriate branches, and the original patch is located\nat:", 'Recommendation\n==============\n\nWe recommend that users of Open vSwitch apply the included patch, or\nupgrade to a known patched version of Open vSwitch. These include:\n\n* 3.3.9\n* 3.4.6\n* 3.5.4\n* 3.6.3\n* 3.7.1\n\n\nAcknowledgements\n================\n\nThe Open vSwitch team wishes to thank the reporter:\n\n * Seiji Sakurai <Seiji.Sakurai () outlook com>'] 2026-04-11 CVE-2026-34956 openEuler-24.03-LTS-SP1 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H openvswitch security update 2026-04-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1872