PT-2026-53006 · Rubygems · Fluent-Plugin-S3

Published

2026-06-26

·

Updated

2026-06-26

·

CVE-2026-44162

CVSS v3.1

2.7

Low

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
The fluent-plugin-s3 plugin (specifically the in s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.
If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.

Impact

This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.

Patches

v1.8.5

Workarounds

If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:
  1. Restrict Bucket Access
  • Ensure that write (PUT) access to the S3 bucket monitored by in s3 is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44162
GHSA-XV9W-7V6Q-HPJH

Affected Products

Fluent-Plugin-S3