Skip to main content

InfiniStore CVE-2026-11312

| EUVD-2026-34778 LOW
Inefficient Algorithmic Complexity (CWE-407)
2026-06-05 VulDB GHSA-2vrg-7rqv-prf9
Information Disclosure Infinistore
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 05, 2026 - 02:22 NVD
3.3 (LOW) 1.9 (LOW)
Analysis Generated
Jun 05, 2026 - 01:51 vuln.today

DescriptionCVE.org

A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Inefficient algorithmic complexity in bytedance InfiniStore up to version 0.2.33 allows a local, low-privileged attacker to partially degrade availability by triggering worst-case execution in the purge_kv_map function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:L) confirms limited blast radius - local-only access with no confidentiality or integrity impact - but a public proof-of-concept exists per the GitHub issue tracker and is reflected in the E:P temporal modifier. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege shell access
Delivery
Inject crafted KV entries into InfiniStore
Exploit
Trigger purge_kv_map cleanup cycle
Execution
Force worst-case algorithmic complexity
Impact
Cause partial InfiniStore availability degradation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must have local access to the system running InfiniStore and a low-privilege OS account (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A locally authenticated user with minimal privileges submits a crafted set of key-value entries designed to trigger worst-case algorithmic behavior in purge_kv_map during a cleanup cycle. The function iterates over the malicious map structure in a computationally expensive pattern, causing the InfiniStore process to consume excessive CPU or stall, resulting in partial service unavailability. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11312 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy