Description
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads — all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow flaw exists in the Avro decoder where 64‑bit values from an external source are truncated or summed using signed‑int arithmetic before bounds checking. On 32‑bit platforms the truncation can bypass slice limits, choose an incorrect union branch, or cause a negative allocation that triggers a panic. Even on 64‑bit targets, cumulative‑size arithmetic overflows break array and map size limits, and improper block‑header handling can negate negative sizes, leading to unbounded memory allocations or crashes. The downstream effect is a denial of service by provoking a panic or by silently corrupting memory boundaries.

Affected Systems

The vulnerable product is the iskorotkov/avro Go Avro codec. Versions prior to 2.33.0 are affected. All architectures that compile the Go runtime, including 32‑bit (386, arm, mips, wasm) and 64‑bit (amd64, arm64), are susceptible.

Risk and Exploitability

The CVSS base score is 8.7, indicating a high‑severity vulnerability. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog. An attacker can trigger the flaw by crafting malicious Avro data sent over the network or supplied from an external source, exploiting the decoder without requiring any privileged access. The combination of remote attack surface and crash outcome results in a high exploitation risk for impacted services.

Generated by OpenCVE AI on May 29, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iskorotkov/avro to version 2.33.0 or later.
  • Ensure that your build process pulls the updated dependency and redeploy the application.
  • Implement defensive checks on the size of incoming Avro data before decoding, such as validating length against configured limits, to prevent accidental misuse of the decoder if an older version cannot be replaced immediately.

Generated by OpenCVE AI on May 29, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mc57-h6j3-3hmv iskorotkov/avro: Integer Overflow in Decoder
History

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads — all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.
Title iskorotkov/avro: Integer Overflow in Avro Decoder
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T21:35:18.534Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46384

cve-icon Vulnrichment

Updated: 2026-05-29T21:35:15.556Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:27.847

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-46384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses