Avro Decoder Vulnerability Exposes Uncontrolled Resource Consumption

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the go/github.com/iskorotkov/avro/v2 package, affecting versions prior to 2.33.0. These vulnerabilities are categorized as remote, unauthenticated denial-of-service (DoS) and integer overflow, with high severity. The vulnerabilities arise from unbounded loop iterations and integer narrowing in the Avro decoder, allowing an attacker to exhaust CPU resources or bypass limits on slice allocations. If exploited, these vulnerabilities could lead to significant business disruption and financial loss due to prolonged system downtime and potential data corruption.[emaillocker id="1283"]

• CVE-2026-46385 with a CVSS score of 8.7 – The Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body, allowing an attacker to exploit unbounded iterations and cause a denial-of-service.
• CVE-2026-46384 with a CVSS score of 8.2 – The Avro decoder accepted `int64` values from the Avro wire format and converted to `int` before validation, allowing an attacker to bypass limits on slice allocations and cause a denial-of-service.

Exploiting these vulnerabilities requires an untrusted Avro stream, with no primitives reaching beyond denial-of-service on current code paths. Business consequences of exploitation could include prolonged system downtime, potential data corruption, and significant financial loss due to delayed business operations and potential data recovery efforts.

RECOMMENDATION:

• We recommend you to update iskorotkov avro to version 2.33.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-w8j3-pq8g-8m7w
https://github.com/advisories/GHSA-mc57-h6j3-3hmv