CVE-2026-46385 - Vulnerability Details

- iskorotkov/avro: CPU Exhaustion in Avro Decoder

Description

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.

Published: 2026-05-29

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Avro decoder in the iskorotkov/avro library contained a loop that iterated over a block-count value supplied by an attacker without checking for reader errors during each iteration. The count is returned as a 64‑bit integer, allowing an attacker to specify an astronomically large number of elements in a single block. When followed by an end‑of‑file or truncated payload, the decoder performs that many no‑op iterations before noticing the error, effectively tying up a CPU core until the process is externally stopped. This flaw is a classic example of unbounded resource consumption (CWE‑400) and results in a remote, unauthenticated denial‑of‑service condition.

Affected Systems

All deployed instances of iskorotkov/avro prior to version 2.33.0 are affected. The fix was introduced in release 2.33.0; any earlier version parsing Avro data is vulnerable.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only the ability to send a crafted Avro payload to the vulnerable service, which is remotely possible because the decoder accepts untrusted input. Attackers can cause sustained high CPU usage, forcing the target application to become unresponsive until the process is killed or terminated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

iskorotkov

avro

affected

Version	Status	Constraints
`< 2.33.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Avro library to version 2.33.0 or later
If an upgrade is not immediately possible, restrict network traffic to trusted sources or apply a firewall rule to block untrusted Avro traffic
Apply CPU resource limits or cgroup constraints to processes using the Avro parser, ensuring that a single process cannot monopolize a core

Generated by OpenCVE AI on May 29, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w8j3-pq8g-8m7w	iskorotkov/avro: CPU Exhaustion in Decoder

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w

History

Fri, 29 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.
Title		iskorotkov/avro: CPU Exhaustion in Avro Decoder
Weaknesses		CWE-400
References		https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T19:58:59.667Z

Updated: 2026-05-29T19:58:59.667Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46385

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-29T20:16:27.990

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-46385

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object