Description
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.
Published: 2026-05-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Avro decoder in the iskorotkov/avro library contained a loop that iterated over a block-count value supplied by an attacker without checking for reader errors during each iteration. The count is returned as a 64‑bit integer, allowing an attacker to specify an astronomically large number of elements in a single block. When followed by an end‑of‑file or truncated payload, the decoder performs that many no‑op iterations before noticing the error, effectively tying up a CPU core until the process is externally stopped. This flaw is a classic example of unbounded resource consumption (CWE‑400) and also constitutes an infinite loop flaw (CWE‑835), resulting in a remote, unauthenticated denial‑of‑service condition.

Affected Systems

All deployed instances of iskorotkov/avro prior to version 2.33.0 are affected. The fix was introduced in release 2.33.0; any earlier version parsing Avro data is vulnerable.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score of < 1% shows that the likelihood of exploitation is very low but not zero. Exploitation requires only the ability to send a crafted Avro payload to the vulnerable service, which is remotely possible because the decoder accepts untrusted input. Attackers can cause sustained high CPU usage, forcing the target application to become unresponsive until the process is killed or terminated.

Generated by OpenCVE AI on June 17, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Avro library to version 2.33.0 or later
  • If an upgrade is not immediately possible, restrict network traffic to trusted sources or apply a firewall rule to block untrusted Avro traffic
  • Apply CPU resource limits or cgroup constraints to processes using the Avro parser, ensuring that a single process cannot monopolize a core

Generated by OpenCVE AI on June 17, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8j3-pq8g-8m7w iskorotkov/avro: CPU Exhaustion in Decoder
History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Iskorotkov
Iskorotkov avro
Vendors & Products Iskorotkov
Iskorotkov avro

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.
Title iskorotkov/avro: CPU Exhaustion in Avro Decoder
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Iskorotkov Avro
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T16:36:20.424Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46385

cve-icon Vulnrichment

Updated: 2026-06-01T16:14:40.611Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:27.990

Modified: 2026-06-01T17:17:34.323

Link: CVE-2026-46385

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-29T19:58:59Z

Links: CVE-2026-46385 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:45:13Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')