PT-2026-41799 · Red Hat+3 · Cryostat 4+8

Klajok

·

Published

2026-05-18

·

Updated

2026-05-29

·

CVE-2026-46384

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions iskorotkov/avro versions prior to 2.33.0 github.com/hamba/avro/v2 versions prior to 2.32.0
Description Several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking or summed them using overflow-prone signed-int arithmetic. On 32-bit targets, these truncation paths can bypass byte-slice limits, select the wrong union branch, or cause a panic during OCF block reads. Additionally, three issues affect all platforms: cumulative-size arithmetic overflow in arrayDecoder.Decode(), mapDecoder.Decode(), and mapDecoderUnmarshaler.Decode() (which can bypass MaxSliceAllocSize and MaxMapAllocSize), math.MinInt negation in block-header handling, and negative size allocation in make([]byte, size) during OCF block reads. These flaws provide an attacker with a denial-of-service primitive via an untrusted Avro stream.
Recommendations Update iskorotkov/avro to version 2.33.0 or later. Migrate from github.com/hamba/avro/v2 to iskorotkov/avro version 2.33.0 or later. As a temporary mitigation, avoid decoding untrusted Avro data. Restrict access to the arrayDecoder.Decode(), mapDecoder.Decode(), and mapDecoderUnmarshaler.Decode() functions when processing untrusted input.

Exploit

Fix

DoS

Integer Underflow

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46384
GHSA-MC57-H6J3-3HMV

Affected Products

Cryostat 4
Multicluster Global Hub
Red Hat Advanced Cluster Management For Kubernetes 2.13
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Avro
Github.Com/Iskorotkov/Avro/V2