CVE-2026-11312
BaseFortify
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytedance | infini_store | to 0.2.33 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11312 is a Denial of Service vulnerability in the InfiniStore KV Map component caused by the use of a non-cryptographic hashing function for cache keys.
InfiniStore stores cache keys in a global unordered map that uses the default std::hash<std::string> implementation, which is deterministic and not resistant to adversarial collision generation.
Attackers can craft many distinct keys that collide in the same hash bucket, causing operations on the shared map to degrade from expected constant time (O(1)) to linear time (O(n)).
This degradation blocks the single-threaded server path, resulting in denial of service for all clients sharing the InfiniStore instance.
The issue persists in memory until colliding entries are evicted, the map is purged, or the server process is restarted.
A fix involves replacing the default hash function with a keyed hash function like SipHash to prevent precomputed collisions.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) condition in systems using InfiniStore by allowing attackers to degrade the performance of key-value map operations.
By submitting specially crafted cache keys that collide in the hash map, an attacker can force the server to perform linear-time operations instead of constant-time, effectively blocking the single-threaded server.
As a result, all clients relying on the affected InfiniStore instance may experience service interruptions or unavailability until the issue is resolved by evicting entries, purging the map, restarting the server, or applying a fix.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for denial of service symptoms caused by inefficient operations on the global key-value map in InfiniStore. Specifically, look for performance degradation or blocking in the single-threaded libuv server path due to many colliding cache keys.
Detection involves identifying if the InfiniStore instance is processing a large number of crafted cache keys that cause hash collisions in the std::unordered_map used for the kv_map.
Since the vulnerability is related to the internal data structure and hashing collisions, direct detection commands are not explicitly provided. However, you can monitor the InfiniStore process for high CPU usage or blocking behavior, and inspect logs or metrics related to cache key operations.
No specific commands are provided in the available resources to detect this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include clearing the existing key-value map state or restarting the InfiniStore server process to evict colliding entries from memory.
A permanent fix requires changing the hash function used by the kv_map from the default std::hash to a keyed hash function such as SipHash, which resists adversarial collision attacks.
Until an official patch or update is released, monitor and limit local access to the InfiniStore instance to reduce the risk of local attackers exploiting this vulnerability.