CVE-2026-11312: InfiniStore Algorithmic Complexity DoS Vulnerability
A flaw in ByteDance's InfiniStore library (versions up to 0.2.33) allows a local user to trigger inefficient algorithmic behavior in the key-value map purge function. An attacker with local access can manipulate input to the purge_kv_map routine, causing the function to consume excessive CPU or processing time. The vulnerability requires local system access and valid user privileges, limiting its scope, but public exploit code now exists.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-404, CWE-407
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11312 is an algorithmic complexity vulnerability in the purge_kv_map function within InfiniStore's KV Map Handler (/src/infinistore.h). The flaw stems from insufficient input validation or algorithmic efficiency in the purge routine, classified under CWE-404 (Uninitialized Variable) and CWE-407 (Inefficient Algorithmic Complexity). A local, authenticated attacker can supply specially crafted data that triggers worst-case time complexity, resulting in denial of service through resource exhaustion rather than code execution or data compromise.
Business impact
For organizations using InfiniStore as part of their data infrastructure, this vulnerability poses a localized denial-of-service risk. If an insider or compromised local account can reach the service, they can degrade performance or cause temporary unavailability of the KV store. The impact is contained to availability; confidentiality and integrity are not affected. However, in multi-tenant or cloud environments where InfiniStore is shared, a malicious tenant could disrupt service for others.
Affected systems
ByteDance InfiniStore versions 0.2.33 and earlier are affected. The vulnerability is present in the KV Map Handler component. No vendor product list is available in the advisory data, so end-users should verify their dependency versions and consult ByteDance's project repository for a complete list of impacted deployments. Organizations should audit their software supply chain for direct or transitive InfiniStore dependencies.
Exploitability
Public exploit code is available, lowering the barrier to weaponization. However, exploitation requires local system access and valid user credentials, which significantly constrains real-world risk in most environments. Remote exploitation is not possible. The attack does not require user interaction or special configuration, only the ability to invoke the purge_kv_map function with malicious input. Organizations with strict local access controls and user privilege separation are at reduced risk.
Remediation
Update InfiniStore to a patched version beyond 0.2.33. Verify the availability of a security release from ByteDance; as of the advisory modification date (2026-06-17), the project had not yet responded to the early disclosure. Monitor the ByteDance InfiniStore repository for security updates. In the interim, restrict local system access and enforce principle of least privilege for accounts that can interact with the KV store. Consider network segmentation if InfiniStore is exposed to untrusted local networks.
Patch guidance
Upgrade InfiniStore to the earliest available version after 0.2.33 that includes a fix for CVE-2026-11312. Check the official ByteDance InfiniStore GitHub repository (or vendor advisory) for patch availability and release notes. If a patch is not yet available, coordinate with your security team on compensating controls such as access restrictions, monitoring, and privilege review. Document the reason for any delayed patching to meet compliance requirements.
Detection guidance
Monitor for unusual CPU or resource consumption by InfiniStore processes, particularly correlated with purge_kv_map function calls. Log and alert on failed or anomalous KV map operations. Implement application-level monitoring to detect repeated or pathological purge operations with unusual argument patterns. Code review or static analysis of purge_kv_map invocations in your codebase can identify whether locally-accessible code paths could be exploited. Check for unexpected local account access to systems running InfiniStore.
Why prioritize this
Despite a low CVSS score (3.3), this vulnerability should not be ignored. The availability of public exploits and the presence in a widely-used library justify timely patching. However, the requirement for local access means this is lower priority than remote code execution flaws. Prioritize based on your environment: teams using InfiniStore in single-tenant, air-gapped, or tightly-controlled environments may safely defer; those with multi-tenant, cloud-native, or untrusted-local-user exposure should patch sooner.
Risk score, explained
CVSS 3.1 score of 3.3 (LOW) reflects the attack vector (local only), required privileges (low), and impact scope (availability only, no CIA compromise). The score does not account for the existence of public exploits or the attack's feasibility in supply-chain contexts. For organizations where local account compromise is a realistic threat model, consider the practical risk to be higher than the base score suggests.
Frequently asked questions
Do I need to patch this immediately?
Not necessarily. If your InfiniStore instances are deployed in air-gapped, single-user, or highly-restricted environments with strong local access controls, you can sequence this patch into a regular update cycle. However, if you operate multi-tenant infrastructure, cloud services, or allow untrusted local users, prioritize patching within 30 days.
Can this be exploited remotely?
No. The vulnerability requires local system access and valid user credentials. Remote attackers cannot exploit it unless they first compromise a local account or gain shell access through another means.
What versions are affected?
InfiniStore versions 0.2.33 and earlier. Check your pinned or transitive dependency versions in your package manager (pip, npm, cargo, etc.). The project maintainers have not yet released a patched version as of the advisory modification date; monitor their repository for updates.
Is this a supply-chain risk if InfiniStore is a dependency?
Potentially. If InfiniStore is embedded in a larger application or service you distribute, users of your software inherit this vulnerability if they use an affected version. Audit your dependencies, communicate patch availability to customers, and plan for version updates in your next release cycle.
This analysis is based on publicly available vulnerability data and the CVE record as of 2026-06-17. ByteDance had not responded to early disclosure at that date; patch availability and timelines may have changed. Consult the official ByteDance InfiniStore repository and security advisories for the most current guidance. This explainer does not constitute professional security advice; organizations should conduct their own risk assessment based on their specific infrastructure, threat model, and business context. No warranty or fitness for particular purpose is implied. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10197LOWAssimp glTF2 Null Pointer Dereference Denial of Service
- CVE-2026-10198LOWAssimp glTF Importer Null Pointer Dereference DoS Vulnerability
- CVE-2026-10199LOWAssimp Null Pointer Dereference in glTF2 Parsing
- CVE-2026-10201LOWAssimp FBX Divide-by-Zero Denial of Service
- CVE-2026-10295LOWDenial of Service in SourceCodester Customer Review App 1.0
- CVE-2026-10298LOWwhisper.cpp Null Pointer Dereference Vulnerability – Local Denial of Service
- CVE-2026-10705LOWDask HyperLogLog Resource Exhaustion Vulnerability
- CVE-2026-10775LOWSGLang Cache Handler Denial-of-Service Vulnerability (v0.5.11)