Description
MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.
Published: 2026-04-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to Memory Exhaustion
Action: Immediate Patch
AI Analysis

Impact

An unbounded memory allocation occurs in MinIO’s S3 Select CSV parsing when a CSV file contains lines longer than available memory. The CSV reader calls ReadBytes('\n') without a size limit, buffering the entire input until a newline is found. A file without a newline causes the entire content to be read into a single allocation, leading to an out‑of‑memory crash of the MinIO server process.

Affected Systems

Versions from RELEASE.2018-08-18T03-49-57Z up to but not including RELEASE.2025-12-20T04-58-37Z of the MinIO product are affected. Any instance of MinIO that has the S3 Select feature enabled is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 reflects a High severity vulnerability that allows any authenticated user with s3:PutObject and s3:GetObject permissions to trigger a denial of service. The EPSS score is not available, but the lack of a known exploit in the KEV catalog does not reduce the risk; attackers can construct a malicious CSV, optionally compressed, to consume large amounts of memory and crash the server. The vulnerability is directly exploitable through S3 operations without additional prerequisites.

Generated by OpenCVE AI on April 8, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a MinIO release newer than RELEASE.2025-12-20T04-58-37Z to eliminate the unbounded memory allocation.
  • If an upgrade is not immediately possible, disable the S3 Select feature for affected buckets or on the server to prevent the vulnerable parsing path.
  • Implement input validation that rejects CSV files without newline characters or enforces a maximum data size before they reach S3 Select.
  • Apply least‑privilege controls, ensuring only trusted users have s3:PutObject and s3:GetObject permissions that could trigger S3 Select operations.
  • Continuously monitor server logs for OOM crashes and apply patches from the vendor as soon as they become available.

Generated by OpenCVE AI on April 8, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h749-fxx7-pwpg MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
History

Wed, 15 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.
Title MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:17:17.322Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39414

cve-icon Vulnrichment

Updated: 2026-04-09T14:57:50.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T21:16:58.877

Modified: 2026-04-15T19:30:46.397

Link: CVE-2026-39414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:28Z

Weaknesses