PT-2026-41800 · Red Hat+3 · Cryostat 4+8

Klajok

·

Published

2026-05-18

·

Updated

2026-05-29

·

CVE-2026-46385

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions iskorotkov/avro versions prior to 2.33.0 github.com/hamba/avro/v2 versions prior to 2.32.0
Description Remote, unauthenticated denial-of-service occurs due to CPU exhaustion in the Avro array and map decoders. The issue arises because the decoders loop over an attacker-controlled block-count value without checking the underlying reader's error state within the loop body. On amd64 and arm64 targets, the Reader.ReadBlockHeader function returns the count as a 64-bit int, allowing a producer to declare a block of up to math.MaxInt64 elements. If the payload is truncated or ends with EOF, the decoder continues to perform no-op iterations until the loop completes, effectively pinning a CPU core until the process is terminated, deadline-cancelled, or OOM-killed.
Technical details involve the following vulnerable functions:
  • sliceSkipDecoder.Decode()
  • mapSkipDecoder.Decode()
  • Reader.ReadArrayCB()
  • Reader.ReadMapCB()
Recommendations For iskorotkov/avro versions prior to 2.33.0, update to version 2.33.0 or later. For github.com/hamba/avro/v2 versions prior to 2.32.0, migrate to iskorotkov/avro version 2.33.0 or later. To provide defense-in-depth against oversized payloads, configure Config.MaxByteSliceSize, Config.MaxSliceAllocSize, and Config.MaxMapAllocSize to set explicit allocation caps.

Exploit

Fix

DoS

Infinite Loop

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46385
GHSA-W8J3-PQ8G-8M7W

Affected Products

Cryostat 4
Multicluster Global Hub
Red Hat Advanced Cluster Management For Kubernetes 2.13
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Avro
Github.Com/Iskorotkov/Avro/V2