How is CVE-2026-46384 exploited?

Network reachability (required): The attacker must reach a service that decodes attacker-supplied Avro payloads over the network. Authentication (not-required): No credentials are needed; any client able to submit Avro data to the decoder can trigger the bug. Victim interaction (not-required): Exploitation is fully server-side and requires no action from a user. Attack complexity (info): Attack complexity is low; crafted Avro byte sequences reliably trigger the overflow paths without environmental preconditions.

What is the impact of CVE-2026-46384?

Crashes any Go service that decodes untrusted Avro input by triggering panics in arrayDecoder, mapDecoder, OCF block reads, or block-header negation. Bypasses MaxSliceAllocSize and MaxMapAllocSize caps via cumulative-size wraparound, enabling oversized allocations that exhaust process memory. On 32-bit targets, silently bypasses byte-slice limits and can steer union-branch selection by truncating 64-bit wire values, broadening the denial-of-service surface. No confidentiality or integrity impact; the CVSS vector reports VC:N/VI:N with availability impact only.

Back to search

HIGHCVE-2026-46384Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-46384: iskorotkov/avro: Integer Overflow in Avro Decoder

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads — all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Integer overflow in the iskorotkov/avro Go Avro codec lets a remote attacker crash the decoder by sending crafted Avro payloads. The flaw is reachable over the network with no authentication and no user interaction, and exploitation triggers panics or bypassed allocation caps that take down the affected service. The advisory lists 2.33.0 as the fixed release, and a patched-image rebuild at that version is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The advisory is ingested from upstream feeds within minutes of publication and matched against Go modules in customer registries and CI pipelines, including custom-built images that vendor iskorotkov/avro below 2.33.0.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) weighted against each customer org's compliance policy, so denial-of-service issues in network-exposed decoders can be escalated where that matters. Findings route into the appropriate inbox inside each customer org based on image ownership and workload exposure.

Available

Patch

A patched-image rebuild at iskorotkov/avro 2.33.0 is available on HarborGuard for affected workloads. For customers who opt into auto-remediation, the rebuild runs through regression tests and a pull request is opened against the affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach a service that decodes attacker-supplied Avro payloads over the network.
AuthenticationNot required
No credentials are needed; any client able to submit Avro data to the decoder can trigger the bug.
Victim interactionNot required
Exploitation is fully server-side and requires no action from a user.
Attack complexityDetail
Attack complexity is low; crafted Avro byte sequences reliably trigger the overflow paths without environmental preconditions.

Blast Radius

Crashes any Go service that decodes untrusted Avro input by triggering panics in arrayDecoder, mapDecoder, OCF block reads, or block-header negation.
Bypasses MaxSliceAllocSize and MaxMapAllocSize caps via cumulative-size wraparound, enabling oversized allocations that exhaust process memory.
On 32-bit targets, silently bypasses byte-slice limits and can steer union-branch selection by truncating 64-bit wire values, broadening the denial-of-service surface.
No confidentiality or integrity impact; the CVSS vector reports VC:N/VI:N with availability impact only.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at iskorotkov/avro 2.33.0 for any image that vendors an affected version. For environments with auto-remediation enabled, the rebuild is regression-tested and a patch PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Customers who cannot upgrade immediately can apply compensating controls such as restricting which clients can submit Avro payloads to the decoder, adding request-size limits in front of the service, and isolating the workload with network policy until the rebuilt image rolls out.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

iskorotkov / avro
< 2.33.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

https://github.com/iskorotkov/avro/security/advisories/GHSA-mc57-h6j3-3hmv