CVE-2026-46384
Integer Overflow in Iskorotkov Avro Go Codec
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iskorotkov | avro | to 2.33.0 (exc) |
| iskorotkov | avro | 2.33.0 |
| iskorotkov | avro | v2.33.0 |
| hamba | avro | to 2.31.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46384 is an integer overflow vulnerability in the Avro decoder library used in Go. The issue occurs when the decoder reads attacker-controlled 64-bit values from the Avro wire format and either narrows them to platform-sized integers before performing bounds-checking or performs arithmetic that can overflow. On 32-bit systems, this truncation can bypass byte-slice limits, select incorrect union branches, or cause panics. Additionally, on all platforms, cumulative size arithmetic in array and map decoders can overflow, bypassing allocation limits or causing panics. Unsafe negation of minimum integer values and allocation with negative sizes can also cause panics. Exploitation requires only an untrusted Avro stream.
How can this vulnerability impact me? :
This vulnerability can lead to denial-of-service (DoS) conditions by causing panics in the Avro decoder when processing maliciously crafted data. On 32-bit systems, it can also bypass size limits and cause incorrect data processing, potentially leading to logic errors. Exploiting this vulnerability requires only supplying a malicious Avro stream, which can crash or disrupt applications using the affected decoder versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing untrusted Avro streams with affected versions of the iskorotkov/avro decoder library. Detection involves identifying usage of vulnerable library versions (prior to 2.33.0) in your environment and monitoring for abnormal decoder behavior such as panics or denial-of-service symptoms during Avro data processing.
Specific commands to detect the vulnerability are not provided in the available resources. However, you can check the version of the iskorotkov/avro library in your projects by inspecting your dependency files or using package management commands, for example:
- For Go modules: run `go list -m all | grep github.com/iskorotkov/avro` to see the version in use.
- Monitor application logs for panics or errors related to Avro decoding, which may indicate exploitation attempts.
Network detection of exploit attempts would require monitoring for unusual or malformed Avro data streams, but no specific network detection commands or signatures are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the iskorotkov/avro library to version 2.33.0 or later, where the vulnerability is fixed.
If upgrading immediately is not possible, temporary mitigations include:
- Avoid processing untrusted Avro data streams to prevent exploitation.
- Isolate Avro decoding workers to limit the impact of potential denial-of-service conditions.