CVE-2026-39414
Awaiting Analysis Awaiting Analysis - Queue
Memory Exhaustion in MinIO S3 Select via Malicious CSV Files

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required β€” a sufficiently large uncompressed CSV with no newlines triggers the same issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39414
EUVD
EUVD-2026-20602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
minio minio From 2018-08-18t03-49-57z (inc) to 2025-10-15t17-29-55z (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause the MinIO server to crash due to memory exhaustion when processing maliciously crafted CSV files without newline characters.

Such crashes can lead to denial of service (DoS), disrupting access to stored data and impacting availability.

Since exploitation requires authenticated user permissions (s3:PutObject and s3:GetObject), an attacker with these permissions can intentionally cause service interruptions.

Executive Summary

This vulnerability affects MinIO's S3 Select feature when processing CSV files that contain lines longer than the available memory. The CSV reader function nextSplit() uses bufio.Reader.ReadBytes('\n') without any size limit, which causes it to buffer the entire input in memory until a newline character is found.

If a CSV file has no newline characters, the entire file content is read into a single memory allocation, leading to an out-of-memory (OOM) crash of the MinIO server process.

An attacker who is an authenticated user with s3:PutObject and s3:GetObject permissions can exploit this by uploading specially crafted CSV files. The attack is more effective when the CSV file is compressed (e.g., gzip), as a small compressed file can decompress into gigabytes of data without newlines, causing large memory consumption on the server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart