PatchSiren cyber security CVE debrief
CVE-2026-46385 iskorotkov CVE debrief
CVE-2026-46385 is a high-severity denial-of-service vulnerability in the iskorotkov/avro Go library, a fast Avro codec implementation. The flaw exists in versions prior to 2.33.0 and stems from improper error handling in array and map decoders. Specifically, the decoder loops over an attacker-controlled block-count value without checking the underlying reader's error state within the loop body. Because Reader.ReadBlockHeader returns the count as a Go int (64-bit on amd64/arm64), a malicious producer can declare a block containing up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF or a truncated payload. The decoder then attempts that many no-op iterations before propagating the error, effectively pinning a CPU core indefinitely until external termination (OOM kill, deadline cancellation, or process termination). This constitutes a remote, unauthenticated denial-of-service condition. The vulnerability was published on 2026-05-29 and is classified under CWE-400 (Uncontrolled Resource Consumption).
- Vendor
- iskorotkov
- Product
- avro
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using iskorotkov/avro versions prior to 2.33.0 to process untrusted Avro data, particularly in network-exposed services, serverless functions, or data pipelines where CPU resource exhaustion could cascade to broader availability impacts. Development teams maintaining Go applications with Avro deserialization capabilities should prioritize this update.
Technical summary
The vulnerability resides in the array and map decoder implementations of the iskorotkov/avro library. The decoders call Reader.ReadBlockHeader to obtain a block count, which returns a Go int type. On 64-bit architectures (amd64, arm64), this permits values up to math.MaxInt64. The decoder then enters a loop iterating this many times without checking if the underlying reader has encountered an error. An attacker can craft a malicious Avro payload declaring an enormous block count immediately followed by EOF or truncated data. The decoder will execute the loop body for each declared element—performing no actual work due to the EOF condition—but only propagates the error after completing all iterations. This results in unbounded CPU consumption from a single malicious request, constituting a remote, unauthenticated denial-of-service. The realistic impact is process termination via external mechanisms rather than natural completion.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iskorotkov/avro to version 2.33.0 or later to remediate this vulnerability
- Implement input validation and size limits on Avro payloads before decoding
- Monitor for anomalous CPU consumption patterns in services processing untrusted Avro data
- Consider resource quotas and timeout mechanisms to limit impact of potential DoS attempts
- Review application logs for unexpected EOF errors during Avro decoding operations
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Technical details regarding block-count handling and Go int behavior derived from CVE description. Fix version 2.33.0 confirmed via advisory. CVSS 4.0 vector indicates network attack vector with high availability impact.
Official resources
-
CVE-2026-46385 CVE record
CVE.org
-
CVE-2026-46385 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29