CVE-2026-39414

| EUVD-2026-20602 HIGH
2026-04-08 GitHub_M GHSA-h749-fxx7-pwpg
7.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 20:46 vuln.today
EUVD ID Assigned
Apr 08, 2026 - 20:46 euvd
EUVD-2026-20602
CVE Published
Apr 08, 2026 - 20:05 nvd
HIGH 7.1

Tags

Denial Of Service Minio

Description

MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required - a sufficiently large uncompressed CSV with no newlines triggers the same issue.

Analysis

Memory exhaustion in MinIO S3 Select (RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z) allows authenticated users with s3:PutObject and s3:GetObject permissions to crash the server by uploading CSV files lacking newline characters. The vulnerable CSV reader buffers entire lines into memory without size limits, enabling attackers to trigger out-of-memory conditions. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all MinIO deployments running versions RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z and document current deployment versions. Within 7 days: Implement input validation on S3 Select CSV uploads (enforce maximum line lengths and file decompression ratios) and restrict s3:PutObject and s3:GetObject permissions to trusted principals only. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-39414 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy