PT-2026-41800 · Red Hat+3 · Cryostat 4+8
Klajok
·
Published
2026-05-18
·
Updated
2026-05-29
·
CVE-2026-46385
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
iskorotkov/avro versions prior to 2.33.0
github.com/hamba/avro/v2 versions prior to 2.32.0
Description
Remote, unauthenticated denial-of-service occurs due to CPU exhaustion in the Avro array and map decoders. The issue arises because the decoders loop over an attacker-controlled block-count value without checking the underlying reader's error state within the loop body. On amd64 and arm64 targets, the
Reader.ReadBlockHeader function returns the count as a 64-bit int, allowing a producer to declare a block of up to math.MaxInt64 elements. If the payload is truncated or ends with EOF, the decoder continues to perform no-op iterations until the loop completes, effectively pinning a CPU core until the process is terminated, deadline-cancelled, or OOM-killed.Technical details involve the following vulnerable functions:
sliceSkipDecoder.Decode()mapSkipDecoder.Decode()Reader.ReadArrayCB()Reader.ReadMapCB()
Recommendations
For iskorotkov/avro versions prior to 2.33.0, update to version 2.33.0 or later.
For github.com/hamba/avro/v2 versions prior to 2.32.0, migrate to iskorotkov/avro version 2.33.0 or later.
To provide defense-in-depth against oversized payloads, configure
Config.MaxByteSliceSize, Config.MaxSliceAllocSize, and Config.MaxMapAllocSize to set explicit allocation caps.Exploit
Fix
DoS
Infinite Loop
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cryostat 4
Multicluster Global Hub
Red Hat Advanced Cluster Management For Kubernetes 2.13
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Avro
Github.Com/Iskorotkov/Avro/V2