Description
A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-05
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the purge_kv_map function of bytedance InfiniStore's KV Map Handler allows a local attacker to trigger inefficient algorithmic complexity, effectively causing excessive CPU and memory consumption. This results in a denial‑of‑service condition for the application and is classified under CWE‑404 and CWE‑407.

Affected Systems

The affected product is bytedance InfiniStore up to version 0.2.33. Any deployment of this version that includes the KV Map Handler component and runs locally on the target system is vulnerable.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. The EPSS score is not available and the vulnerability is not listed in the KEV catalog. Because the exploit requires local access and the vendor has not released a patch, the risk remains moderate but confined to environments where an attacker can gain local privileges. The public exploit demonstrates that an attacker who can invoke the purge_kv_map routine can exhaust system resources and disrupt service.

Generated by OpenCVE AI on June 5, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to InfiniStore version 0.2.34 or newer once the vendor releases a fix.
  • Configure OS‑level resource limits (e.g., ulimit or cgroups) to mitigate potential denial of service caused by the purge_kv_map function.
  • Implement application monitoring to detect abnormal memory or CPU consumption patterns associated with the KV Map purge operation.
  • Consult the GitHub issue thread and the project's issue tracker for any outage mitigation updates.

Generated by OpenCVE AI on June 5, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title bytedance InfiniStore KV Map infinistore.h purge_kv_map algorithmic complexity
First Time appeared Bytedance
Bytedance infinistore
Weaknesses CWE-404
CWE-407
CPEs cpe:2.3:a:bytedance:infinistore:*:*:*:*:*:*:*:*
Vendors & Products Bytedance
Bytedance infinistore
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bytedance Infinistore
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-05T00:30:14.091Z

Reserved: 2026-06-04T18:10:12.303Z

Link: CVE-2026-11312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T02:17:10.973

Modified: 2026-06-05T02:17:10.973

Link: CVE-2026-11312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:32Z

Weaknesses