Resource exhaustion in Iskorotkov Avro

CVE-2026-46385

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeade…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

Iskorotkov Avro — versions < 2.33.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

security-advisories@github.com (x_refsource_CONFIRM)