PatchSiren cyber security CVE debrief
CVE-2026-46384 iskorotkov CVE debrief
CVE-2026-46384 is a HIGH-severity vulnerability (CVSS 4.0: 8.7) in the iskorotkov/avro Go Avro codec library, affecting versions prior to 2.33.0. The vulnerability stems from improper handling of attacker-controlled 64-bit values in Avro decoder paths, with distinct impact profiles across 32-bit and 64-bit platforms. On 32-bit architectures (GOARCH=386, arm, mips, wasm, etc.), 64-bit values are narrowed to platform-sized int before bounds checking, enabling silent bypass of byte-slice limits, incorrect union branch selection, and OCF negative-make panics via integer wrap. Three sub-issues affect all platforms: cumulative-size arithmetic overflow in arrayDecoder.Decode, mapDecoder.Decode, and mapDecoderUnmarshaler.Decode (wrapping at math.MaxInt64 and bypassing MaxSliceAllocSize/MaxMapAllocSize limits), math.MinInt negation in block-header handling, and negative-size make([]byte, size) calls in OCF block reads. These platform-agnostic issues provide denial-of-service primitives through panics or allocation cap bypasses. The vulnerability was published to NVD on 2026-05-29 and carries CWE-190 (Integer Overflow or Wraparound) classification. The fix in version 2.33.0 addresses these integer handling deficiencies.
- Vendor
- iskorotkov
- Product
- avro
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using iskorotkov/avro for Avro serialization in Go applications, particularly those deploying on 32-bit architectures or processing untrusted Avro data from external sources
Technical summary
The iskorotkov/avro library prior to 2.33.0 contains multiple integer overflow vulnerabilities in Avro decoding paths. On 32-bit platforms, 64-bit wire values truncate to int before bounds checks, enabling silent limit bypasses and incorrect union branch selection. On all platforms, cumulative size arithmetic overflows in array/map decoders (wrapping at MaxInt64), math.MinInt negation in block headers, and negative-size allocations in OCF reads provide denial-of-service vectors through panics or allocation cap bypasses.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iskorotkov/avro to version 2.33.0 or later to remediate integer overflow vulnerabilities in Avro decoder paths
- Audit applications using avro codec on 32-bit architectures (GOARCH=386, arm, mips, wasm) for potential exploitation of truncation-based bypasses
- Implement input validation and size limits on Avro data ingestion to mitigate oversized or malicious wire format payloads
- Monitor application logs for panics related to negative make() calls or allocation failures that may indicate exploitation attempts
- Review and update dependency management practices to ensure timely patching of transitive dependencies using avro codec
Evidence notes
Vulnerability description and CVSS vector sourced from NVD record. CWE-190 classification from [email protected]. Fix version 2.33.0 confirmed in advisory. Platform-specific impacts (32-bit truncation, 64-bit overflow) explicitly documented in CVE description. No KEV listing or known ransomware campaign use identified.
Official resources
-
CVE-2026-46384 CVE record
CVE.org
-
CVE-2026-46384 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29