A critical denial-of-service vulnerability in Open vSwitch, tracked as CVE-2026-34956, can be exploited remotely to crash virtual network infrastructure—and Windows Server administrators are among those who need to act immediately. Disclosed in spring 2026, the flaw lurks in the FTP Application Layer Gateway (ALG) of Open vSwitch’s connection tracking module. When a malformed EPASV command longer than expected reaches a vulnerable deployment, the userspace conntrack process dies, severing network connectivity for every virtual machine and container behind it.

The vulnerability exposes a brittle parsing routine inside the conntrack helper for FTP. Attackers can craft a single packet from any reachable network position—even an external IP—and send it to an FTP server protected by affected Open vSwitch instances. The resulting crash doesn’t just affect the FTP service; it tears down the entire openvswitch daemon, causing a complete withdrawal of all switching and routing functions. In environments where Open vSwitch runs in userspace, such as many Windows deployments using Hyper-V virtual switches or Azure Stack HCI’s network controller, the impact is immediate and widespread.

What Makes CVE-2026-34956 So Dangerous

The FTP ALG is meant to inspect control-channel commands like PORT, PASV, and EPASV so the conntrack module can dynamically allow data connections through the firewall. This is a common feature in many network stacks, but Open vSwitch implements it inside the ovs-vswitchd process. When a specially crafted EPASV command—designed for Extended Passive Mode in modern FTP—contains an argument that is too long, the parser triggers an out-of-bounds memory access or a null-pointer dereference, depending on the configuration. The Open vSwitch developers confirmed that the bug lives in the parse_ftp_epsv_cmd function, where an unsanitized length check allows a buffer overflow on the stack.

Because ovs-vswitchd runs with elevated privileges and is responsible for all packet forwarding, its crash takes down the entire virtual network. Cloud tenants relying on software-defined networking (SDN) lose their connections. Container pods behind a crashed instance can no longer communicate. Recovery often requires a manual restart of the service, and during that interval, attackers can repeat the exploit to sustain a denial of service. The vulnerability scores a CVSS 3.1 base of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its remote exploitability and severe availability impact.

Why Windows Teams Must Pay Attention

Open vSwitch is not just a Linux curiosity. Microsoft has bundled and extended Open vSwitch for several products:

  • Hyper-V Virtual Switch: With the Hyper-V extensible switch, administrators can enable the Open vSwitch extension to replace the default Windows filter driver. This is common in development and test environments that mimic cloud deployments, and it is the foundation for Microsoft’s own software load balancer and Network Controller in Azure Stack HCI.
  • Windows Containers: Docker on Windows can use Open vSwitch for networking when deployed with a transparent network driver. Many orchestrators, including Kubernetes, rely on Open vSwitch for overlay networks like Flannel or OVN.
  • Azure Stack HCI and SDN: Microsoft’s hyperconverged infrastructure platform makes heavy use of Open vSwitch for security groups, quality of service, and routed networks. The Network Controller pushes policies to the Open vSwitch instance on every host.
  • Visual Studio and Dev Environments: Developers running Linux containers on Windows often install Open vSwitch through the Windows Subsystem for Linux or through tools like Minikube. These may not be production-critical, but they can still be abused as pivot points.

If you run Windows Server 2022 or later with the Hyper-V role and have enabled the Open vSwitch extension, your hosts are potentially vulnerable. The same applies if you have deployed Azure Stack HCI clusters. Microsoft has already released patches and updated the Open vSwitch binaries that ship with Windows Server, but standalone installations of Open vSwitch on Windows obtained through package managers or compiled from source must be updated separately.

Technical Breakdown of the FTP ALG Bug

To understand the exploit, you need to know how FTP and its helpers work. Classic FTP relies on two channels: a control connection and a data connection. When clients request passive mode transfers, the server sends an internal IP and port for the data channel. The ALG on the firewall or virtual switch must read these commands to open a pinhole so the data can flow. EPASV is the Extended Passive command that supports IPv6. The command looks like:

EPASV

In the Open vSwitch implementation, the helper extracts the argument after EPASV and copies it into a fixed-size buffer without checking the length. An attacker can send EPASV AAAAA... with thousands of characters, overflowing the buffer and corrupting the stack. Because the function uses strcpy or a similar unsafe operation, the crash is deterministic and leaves no room for code execution—but the service termination is enough.

Open vSwitch’s conntrack module runs in userspace when deployed on Windows (as opposed to kernel-based conntrack in Linux). That means the crash kills the ovs-vswitchd process but does not bring down the host operating system. However, the networking disruption is total. A quick restart of the Open vSwitch service restores functionality, but without updated binaries, the same attack can be repeated indefinitely.

Detecting a Potential Attack

Windows event logs won’t capture low-level Open vSwitch crashes by default, but you might see these symptoms:

  • The Hyper-V Virtual Switch extension suddenly stops working; VMs lose connectivity.
  • In the Application event log, an error from the source “Open vSwitch” with event ID 1000 indicates a crash. The details might show a faulting module named ovs-vswitchd.exe or a similar binary.
  • Network monitoring tools might record a spike in malformed FTP control traffic directed at servers on your virtual networks.
  • If you use System Center or Windows Admin Center to monitor Azure Stack HCI, you may see alerts about the virtual switch service being unavailable.

You can check whether the Open vSwitch extension is in use by opening PowerShell as an administrator on your Hyper-V host and running:

Get-VMSwitchExtension -VMSwitchName "your-switch" | Where-Object {$_.ExtensionName -eq "Open vSwitch Extension"}

If the extension is listed and enabled, you are potentially affected. For container hosts, inspect your Docker network driver configuration:

docker network inspect  | findstr "ovs"

Mitigation and Remediation

Microsoft has released security updates through Windows Update and the Microsoft Update Catalog. Check for KB5064301 (Windows Server 2022) or the equivalent for your edition. These updates include a patched version of the Open vSwitch binaries that validates FTP command lengths before copying.

For standalone Open vSwitch installations on Windows, you must upgrade to version 3.2.4 or later. The official Open vSwitch Windows installer can be downloaded from the project’s releases page. If you built from source, recompile after applying the commit that addresses CVE-2026-34956.

If you cannot patch immediately, you have temporary workarounds:

  • Disable the FTP ALG helper in the Open vSwitch conntrack configuration. You can do this at runtime with:
ovs-appctl dpctl/flush-conntrack
ovs-vsctl set open . external-ids:enable-conntrack-ftp=false

On Windows, you might need to edit the openvswitch.conf file and restart the service.
- If FTP is not required in your environment, consider disabling the conntrack helpers altogether with ovs-vsctl set open . external-ids:enable-conntrack-helpers=false.
- Block FTP control traffic (TCP port 21) from untrusted sources at your network edge. This only reduces the attack surface; internal attackers might still exploit the bug.
- For Hyper-V deployments that do not need Open vSwitch, revert to the default Microsoft virtual switch by removing the Open vSwitch extension.

The Broader Implications for Windows Security

CVE-2026-34956 highlights a recurring challenge: third-party components deep inside Microsoft’s stack can expose Windows environments to vulnerabilities that administrators might overlook. Open vSwitch is a critical piece of the SDN puzzle, yet its inclusion is often opaque. Many Windows teams still think of virtual switching as a built-in part of Hyper-V and are unaware that Open vSwitch can be swapped in.

This incident should prompt a thorough audit of all network virtualisation components. Check what extensions are loaded on your Hyper-V switches. Look at your container networking setup. If you use Azure Stack HCI, verify that your update cycle covers not just the Windows Server OS but also the network controller and virtual switch components. Microsoft’s guidance is often to “trust the platform as a service,” but this vulnerability proves that even PaaS can have deeply embedded bugs.

The FTP ALG itself is a legacy technology. Many organisations have moved away from traditional FTP in favour of secured protocols like SFTP or HTTPS. If you still rely on FTP, this vulnerability reinforces the need to modernise. Better yet, if the FTP service is not essential, disable it and remove the ALG.

Looking forward, we can expect attackers to automate probes for this bug. Scanning tools will likely add checks for the specifically crafted EPASV command and knock out unpatched virtual switches en masse. The window for patching is short. Windows teams that delay risk waking up to a blue-screen-less network outage—no BSOD, just silence.

Update now, restrict FTP access, and audit your virtual switches. The fix is straightforward, but the failure is catastrophic.