CVE-2026-11312
Deferred Deferred - Pending Action
Inefficient Algorithm in InfiniStore KV Map Handler

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description
A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-11312
EUVD
EUVD-2026-34778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bytedance infini_store to 0.2.33 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11312 is a Denial of Service vulnerability in the InfiniStore KV Map component caused by the use of a non-cryptographic hashing function for cache keys.

InfiniStore stores cache keys in a global unordered map that uses the default std::hash<std::string> implementation, which is deterministic and not resistant to adversarial collision generation.

Attackers can craft many distinct keys that collide in the same hash bucket, causing operations on the shared map to degrade from expected constant time (O(1)) to linear time (O(n)).

This degradation blocks the single-threaded server path, resulting in denial of service for all clients sharing the InfiniStore instance.

The issue persists in memory until colliding entries are evicted, the map is purged, or the server process is restarted.

A fix involves replacing the default hash function with a keyed hash function like SipHash to prevent precomputed collisions.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) condition in systems using InfiniStore by allowing attackers to degrade the performance of key-value map operations.

By submitting specially crafted cache keys that collide in the hash map, an attacker can force the server to perform linear-time operations instead of constant-time, effectively blocking the single-threaded server.

As a result, all clients relying on the affected InfiniStore instance may experience service interruptions or unavailability until the issue is resolved by evicting entries, purging the map, restarting the server, or applying a fix.

Detection Guidance

This vulnerability can be detected by monitoring for denial of service symptoms caused by inefficient operations on the global key-value map in InfiniStore. Specifically, look for performance degradation or blocking in the single-threaded libuv server path due to many colliding cache keys.

Detection involves identifying if the InfiniStore instance is processing a large number of crafted cache keys that cause hash collisions in the std::unordered_map used for the kv_map.

Since the vulnerability is related to the internal data structure and hashing collisions, direct detection commands are not explicitly provided. However, you can monitor the InfiniStore process for high CPU usage or blocking behavior, and inspect logs or metrics related to cache key operations.

No specific commands are provided in the available resources to detect this vulnerability on your system or network.

Mitigation Strategies

Immediate mitigation steps include clearing the existing key-value map state or restarting the InfiniStore server process to evict colliding entries from memory.

A permanent fix requires changing the hash function used by the kv_map from the default std::hash to a keyed hash function such as SipHash, which resists adversarial collision attacks.

Until an official patch or update is released, monitor and limit local access to the InfiniStore instance to reduce the risk of local attackers exploiting this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart