CVE-2026-46385
Deferred Deferred - Pending Action
Integer Overflow in Iskorotkov Avro Go Codec

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets β€” so a producer can declare a block of up to math.MaxInt64 (~9.2 Γ— 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" β€” a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-30
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-46385
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iskorotkov avro to 2.33.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-46385 is a CPU exhaustion vulnerability in the iskorotkov/avro Go Avro codec. The issue arises because the Avro array and map decoders loop over an attacker-controlled block-count value without checking for errors during the loop. An attacker can craft a payload declaring a very large block count (up to math.MaxInt64), causing the decoder to perform an excessive number of iterations. This pins a CPU core indefinitely until the process is killed or terminated.


How can this vulnerability impact me? :

This vulnerability can lead to a remote, unauthenticated denial-of-service (DoS) attack by exhausting CPU resources. A single hostile payload can cause the affected process to consume a CPU core indefinitely, potentially leading to out-of-memory (OOM) kills, deadline cancellations, or forced termination of the process, thus impacting system availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a CPU exhaustion condition where the Avro decoder loops excessively due to an attacker-controlled block-count value. Detection can focus on identifying processes consuming unusually high CPU resources, especially those running the affected Avro decoder versions prior to 2.33.0.

You can monitor CPU usage on your system to detect potential exploitation. For example, on Linux systems, commands like 'top' or 'htop' can help identify processes with high CPU consumption.

  • Use 'top' or 'htop' to monitor CPU usage and identify processes consuming excessive CPU.
  • Use 'ps aux --sort=-%cpu | head' to list the top CPU-consuming processes.
  • Check logs or network traffic for unusual or malformed Avro payloads if logging or network inspection is available.

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade the Avro decoder library to version 2.33.0 or later, where the vulnerability is fixed by checking the reader's error state after each iteration to prevent unbounded looping.

Additionally, applying configuration settings such as MaxSliceAllocSize and MaxMapAllocSize can provide defense-in-depth by limiting resource allocation during decoding.

Until the upgrade is applied, monitor and limit resource usage of processes using the vulnerable Avro decoder to reduce the impact of potential exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart