Denial of Service Vulnerability in Go Avro Codec by iskorotkov
CVE-2026-46385

8.7HIGH

Key Information:

Vendor: Iskorotkov
Status: Avro
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-46385?

The Go Avro codec by iskorotkov is susceptible to a denial of service vulnerability that occurs prior to version 2.33.0. The decoder's handling of Avro array and map structures allows an attacker to exploit a loop controlled by a block-count value derived from user input, without adequate error handling checks. This can lead to significant resource consumption on the server as the decoder may attempt to process extraordinarily large payloads, potentially causing the CPU core to be pinned indefinitely until the process is forcibly terminated. This flaw poses a risk of remote, unauthenticated denial of service, impacting the availability and reliability of the system. The issue has been resolved in version 2.33.0.

Affected Version(s)

avro < 2.33.0

References

https://github.com/iskorotkov/avro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46385 Data

JSON

Iskorotkov

What is CVE-2026-46385?

Affected Version(s)

References

CVSS V4

Timeline