CVE-2026-39414

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z

Description MinIO's S3 Select feature is susceptible to memory exhaustion when handling CSV files with lines exceeding available memory. The nextSplit() function within the CSV reader utilizes bufio.Reader.ReadBytes(' ') without a size constraint, potentially buffering the entire input until a newline is encountered. CSV files lacking newline characters can cause the entire file content to be loaded into memory, resulting in an out-of-memory (OOM) crash of the MinIO server. This issue is exploitable by authenticated users possessing s3:PutObject and s3:GetObject permissions. Compression can amplify the impact, as a small compressed CSV file can decompress to a large size without newlines, increasing memory consumption.

Recommendations For MinIO versions RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z, limit the size of CSV files uploaded to the system to prevent excessive memory consumption. Consider implementing input validation to reject CSV files without newline characters.