PT-2026-41799 · Red Hat+3 · Cryostat 4+8
Klajok
·
Published
2026-05-18
·
Updated
2026-05-29
·
CVE-2026-46384
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
iskorotkov/avro versions prior to 2.33.0
github.com/hamba/avro/v2 versions prior to 2.32.0
Description
Several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized
int before bounds-checking or summed them using overflow-prone signed-int arithmetic. On 32-bit targets, these truncation paths can bypass byte-slice limits, select the wrong union branch, or cause a panic during OCF block reads. Additionally, three issues affect all platforms: cumulative-size arithmetic overflow in arrayDecoder.Decode(), mapDecoder.Decode(), and mapDecoderUnmarshaler.Decode() (which can bypass MaxSliceAllocSize and MaxMapAllocSize), math.MinInt negation in block-header handling, and negative size allocation in make([]byte, size) during OCF block reads. These flaws provide an attacker with a denial-of-service primitive via an untrusted Avro stream.Recommendations
Update iskorotkov/avro to version 2.33.0 or later.
Migrate from github.com/hamba/avro/v2 to iskorotkov/avro version 2.33.0 or later.
As a temporary mitigation, avoid decoding untrusted Avro data.
Restrict access to the
arrayDecoder.Decode(), mapDecoder.Decode(), and mapDecoderUnmarshaler.Decode() functions when processing untrusted input.Exploit
Fix
DoS
Integer Underflow
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cryostat 4
Multicluster Global Hub
Red Hat Advanced Cluster Management For Kubernetes 2.13
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Avro
Github.Com/Iskorotkov/Avro/V2