Remote Unauth DoS in iskorotkov/avro <2.33 via Block-Count Loop
CVE-2026-46385 Published on May 29, 2026

iskorotkov/avro: CPU Exhaustion in Avro Decoder
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.

NVD

Vulnerability Analysis

CVE-2026-46385 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Types

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2026-46385 has been classified to as a Resource Exhaustion vulnerability or weakness.

What is an Infinite Loop Vulnerability?

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

CVE-2026-46385 has been classified to as an Infinite Loop vulnerability or weakness.


Products Associated with CVE-2026-46385

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Acm
 
Red Hat Cryostat
 
Red Hat Multicluster Globalhub
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Hummingbird
 

Affected Versions

iskorotkov avro: Red Hat Advanced Cluster Management for Kubernetes 2.13: Red Hat Cryostat 4: Red Hat Multicluster Global Hub: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Hardened Images:

Exploit Probability

EPSS
0.29%
Percentile
20.66%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.