Integer overflow in Iskorotkov Avro

CVE-2026-46384

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with ove…

Vulnerability class: Integer Overflow

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

Iskorotkov Avro — versions < 2.33.0

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

References

security-advisories@github.com (x_refsource_CONFIRM)