Memory Exhaustion Vulnerability in MinIO Object Storage System
CVE-2026-39414

7.1HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39414?

The MinIO object storage system is subject to a memory exhaustion vulnerability affecting its S3 Select feature. This arises when processing CSV files that contain excessively long lines, beyond the available memory. Notably, the CSV reader's nextSplit() function lacks a size limit and continuously buffers data until a newline is detected. As a result, a single line in a CSV file without a newline character can lead to the reading of the entire file content in one allocation, causing an Out Of Memory (OOM) crash of the MinIO server process. The risk is compounded for authenticated users with s3:PutObject and s3:GetObject permissions. Malicious actors can exploit this by uploading a compressible CSV file (e.g., a small gzip file) that unpacks to a much larger size without line breaks. Even without compression, large uncompressed CSV files can trigger the same memory exhaustion issue.

Affected Version(s)

minio >= RELEASE.2018-08-18T03-49-57Z, < RELEASE.2025-12-20T04-58-37Z

References

https://github.com/minio/minio/security/advisories/GHSA-h...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/8200
x_refsource_MISC
https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2...
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.