CVE-2026-46385
Deferred Deferred - Pending Action
Integer Overflow in Iskorotkov Avro Go Codec

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets β€” so a producer can declare a block of up to math.MaxInt64 (~9.2 Γ— 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" β€” a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-46385
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
iskorotkov avro to 2.33.0 (exc)
iskorotkov avro to 2.31.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46385 is a CPU exhaustion vulnerability in the iskorotkov/avro Go Avro codec. The issue arises because the Avro array and map decoders loop over an attacker-controlled block-count value without checking for errors during the loop. An attacker can craft a payload declaring a very large block count (up to math.MaxInt64), causing the decoder to perform an excessive number of iterations. This pins a CPU core indefinitely until the process is killed or terminated.

Impact Analysis

This vulnerability can lead to a remote, unauthenticated denial-of-service (DoS) attack by exhausting CPU resources. A single hostile payload can cause the affected process to consume a CPU core indefinitely, potentially leading to out-of-memory (OOM) kills, deadline cancellations, or forced termination of the process, thus impacting system availability.

Detection Guidance

This vulnerability causes a CPU exhaustion condition where the Avro decoder loops excessively due to an attacker-controlled block-count value. Detection can focus on identifying processes consuming unusually high CPU resources, especially those running the affected Avro decoder versions prior to 2.33.0.

You can monitor CPU usage on your system to detect potential exploitation. For example, on Linux systems, commands like 'top' or 'htop' can help identify processes with high CPU consumption.

  • Use 'top' or 'htop' to monitor CPU usage and identify processes consuming excessive CPU.
  • Use 'ps aux --sort=-%cpu | head' to list the top CPU-consuming processes.
  • Check logs or network traffic for unusual or malformed Avro payloads if logging or network inspection is available.
Mitigation Strategies

The primary mitigation is to upgrade the Avro decoder library to version 2.33.0 or later, where the vulnerability is fixed by checking the reader's error state after each iteration to prevent unbounded looping.

Additionally, applying configuration settings such as MaxSliceAllocSize and MaxMapAllocSize can provide defense-in-depth by limiting resource allocation during decoding.

Until the upgrade is applied, monitor and limit resource usage of processes using the vulnerable Avro decoder to reduce the impact of potential exploitation.

Compliance Impact

The vulnerability primarily causes a denial-of-service condition by exhausting CPU resources, impacting system availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such availability issues could indirectly affect compliance if critical systems handling sensitive data become unavailable.

However, there is no direct information provided about data confidentiality, integrity, or privacy impacts that are typically central to these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart