HIGH 7.5

CVE-2026-46385: iskorotkov/avro Denial-of-Service via Unbounded Block Iteration

A vulnerability in the iskorotkov/avro Go library allows an attacker to crash applications processing Avro-encoded data. By sending a specially crafted message that declares an extremely large block of array or map elements (up to 9.2 quintillion), an attacker can force the decoder into a loop that consumes CPU resources indefinitely until the application runs out of memory or is forcibly terminated. The attack requires no authentication and can be triggered over the network with a single malicious payload.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400, CWE-835
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-30

NVD description (verbatim)

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Avro array and map decoders in iskorotkov/avro prior to version 2.33.0 contain a resource exhaustion vulnerability (CWE-835: Infinite Loop). The Reader.ReadBlockHeader function returns a block count as a Go int (64-bit on amd64/arm64 platforms), which the decoders loop over without validating the underlying reader's error state on each iteration. An attacker can send a payload declaring a block count approaching math.MaxInt64 (~9.2 × 10^18) followed by EOF or truncated data. The decoder will attempt all declared iterations before propagating the error, effectively performing busy-waiting on that value rather than failing fast. This creates a denial-of-service condition where a single message pins a CPU core until external termination, out-of-memory condition, or deadline expiration.

Business impact

Applications using iskorotkov/avro for message processing face availability risk. A remote attacker can disable service endpoints by submitting crafted Avro payloads, causing worker threads or goroutines to exhaust CPU and memory until the process crashes or becomes unresponsive. This is particularly damaging in microservices architectures, API gateways, or data pipelines where Avro is used for deserialization. Recovery requires manual intervention (process restart or kill), and the attack surface includes any network-accessible service that accepts Avro-encoded input.

Affected systems

All applications and services using iskorotkov/avro library versions prior to 2.33.0 are affected. This includes any Go-based service that deserializes untrusted Avro messages—for example, Kafka consumers, REST API backends, message queue processors, or data analytics pipelines. The vulnerability is platform-independent but has the most severe impact on 64-bit architectures (amd64, arm64) where the block count can reach maximum int values; 32-bit builds would have smaller upper bounds but remain vulnerable to resource exhaustion.

Exploitability

Exploitability is high. No authentication, special network conditions, or user interaction is required. An attacker needs only to craft a single Avro message with a large block count and send it to a vulnerable endpoint. The payload is trivial to construct—a standard Avro encoder can generate the malicious message, or it can be hand-crafted given knowledge of the Avro binary format. The barrier to exploitation is low; impact is immediate and deterministic.

Remediation

Upgrade iskorotkov/avro to version 2.33.0 or later, which includes fixes to validate the reader's error state during block decoding iterations. Teams should audit their dependencies to identify all services using this library and prioritize patching based on exposure (whether the service processes untrusted Avro input). Consider network-level mitigations such as request timeouts, resource limits per connection, and monitoring for unusual CPU spikes or goroutine proliferation during the patch window.

Patch guidance

Apply the fix by updating the library dependency to 2.33.0 or newer. For Go module-based projects, run 'go get -u iskorotkov/avro' or update the go.mod file directly and run 'go mod tidy'. Verify the upgrade by checking 'go list -m iskorotkov/avro' to confirm the installed version. Perform a staged rollout to production—start with non-critical or canary environments to ensure compatibility, then proceed to critical workloads. Given the simplicity of the exploit, expedited patching is recommended.

Detection guidance

Monitor for signs of resource exhaustion triggered by Avro decoding: sustained high CPU usage on a single core, rapid goroutine accumulation, or memory growth correlated with message ingestion. Log decoder errors and timeouts; a spike in these events may indicate exploitation attempts. Network-based detection is challenging but can be enhanced by inspecting Avro messages for unusually large block count declarations (larger than typical business payloads) or truncated payloads. Implement rate limiting and per-client resource quotas to limit damage from a single hostile payload.

Why prioritize this

This vulnerability scores 7.5 (HIGH) due to its remote, unauthenticated attack vector, low complexity, and high availability impact. Although it does not compromise confidentiality or integrity, the ability to crash services with a single network request makes it a priority for services processing untrusted Avro data. The vulnerability is not yet listed in the CISA KEV catalog, but the low barrier to exploitation and potential for widespread impact in data-driven architectures warrant rapid patching.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network Attack Vector—the vulnerability is remotely exploitable with no special network setup; (2) Low Attack Complexity—no special conditions or race conditions needed; (3) No Privileges or User Interaction required; (4) Unchanged Scope; (5) High impact to Availability—services become unavailable due to resource exhaustion. Confidentiality and Integrity are not affected (both None), hence the score reflects denial-of-service severity alone.

Frequently asked questions

If we're not directly processing untrusted Avro messages, is this vulnerability relevant to us?

Relevance depends on your supply chain. If your application uses iskorotkov/avro indirectly (as a transitive dependency of another library), review the context. If that transitive dependency only processes trusted internal messages, your risk is lower. However, if any part of your stack could receive Avro data from an untrusted source—even indirectly—patching is prudent to eliminate the vector entirely.

What should we do if we can't patch immediately?

Implement compensating controls: enforce strict timeouts on Avro decoding operations (e.g., context cancellation at the application level), limit goroutines or threads per client connection, and set memory limits per process. Monitor CPU and memory metrics for anomalies. Additionally, restrict network access to Avro endpoints to trusted sources only, and log all decoding errors for audit trails. Plan a patching window as soon as feasible—this is not a long-term mitigation.

Does this affect us if we only encode Avro messages and never decode them?

No. The vulnerability is in the decoder logic. If your application only produces (encodes) Avro messages and does not consume or parse them, you are not exposed. However, verify your full dependency tree to ensure no code paths inadvertently call the decoder.

Why does block count reach such a large number (9.2 × 10^18)?

Avro block counts are represented as signed 64-bit integers in the protocol. On 64-bit Go platforms (amd64, arm64), this maps directly to Go's int type, allowing counts up to math.MaxInt64. The decoder's loop was not checking for errors between iterations, so an attacker declaring a block larger than the payload size causes the loop to spin uselessly, draining resources. The fix validates the reader's error state after each iteration, so truncated or EOF conditions are caught immediately.

This analysis is based on the CVE description and vendor advisory as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of this information. Organizations should verify patch availability and compatibility with their specific versions and configurations by consulting the official iskorotkov/avro repository and release notes. This document is for informational purposes only and should not substitute for professional security assessment or vendor guidance. Exploit code or weaponized proof-of-concept details are not provided; organizations should conduct controlled testing in isolated environments if needed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).