Go Avro Codec Vulnerability in iskorotkov's Product
CVE-2026-46384

8.7HIGH

Key Information:

Vendor: Iskorotkov
Status: Avro
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-46384?

The iskorotkov/avro Go codec, prior to version 2.33.0, contains critical vulnerabilities resulting from improper handling of 64-bit values in various decoder paths. Attackers can exploit these weaknesses on 32-bit platforms through unsanitized narrow conversions, leading to potential buffer overflows or bypass of slice limits. Additionally, specific arithmetic errors in size calculations could trigger DaS conditions across architectures, allowing an attacker to induce unexpected application behavior or crashes. Updating to the fixed version 2.33.0 mitigates these risks.

Affected Version(s)

avro < 2.33.0

References

https://github.com/iskorotkov/avro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46384 Data

JSON

Iskorotkov

What is CVE-2026-46384?

Affected Version(s)

References

CVSS V4

Timeline