fluent-plugin-s3 CVE-2026-44162
LOWSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Requires S3 bucket write access (PR:H); attack initiated remotely via S3 API (AV:N); impact confined to Fluentd process availability only (A:L, C:N, I:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
The fluent-plugin-s3 plugin (specifically the in_s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.
If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.
Impact
This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.
Patches
v1.8.5
Workarounds
If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:
- Restrict Bucket Access
- Ensure that write (PUT) access to the S3 bucket monitored by
in_s3is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.
AnalysisAI
Memory exhaustion via decompression bomb in fluent-plugin-s3's in_s3 input plugin enables an attacker with S3 bucket write access to crash the Fluentd log collection process. Versions 0.7.0 through 1.8.4 decompress gzip, lzma2, and lzop files from S3 into memory with no size cap, allowing a crafted high-ratio compressed payload to trigger an OS OOM kill and disrupt all log ingestion on the affected node. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker possesses IAM permissions sufficient to upload objects (s3:PutObject or equivalent) to the specific S3 bucket and prefix being monitored by the `in_s3` plugin - this is the primary limiting factor (CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 2.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L) accurately characterizes this as low severity given the high-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or already possesses IAM credentials with s3:PutObject permissions on the monitored bucket uploads a crafted decompression bomb - for example, a sub-megabyte gzip file that expands to tens of gigabytes - into the S3 prefix monitored by Fluentd's `in_s3` plugin. When Fluentd's polling cycle picks up the object and calls the relevant extractor, memory consumption ramps rapidly until the Linux OOM killer terminates the Fluentd process, halting all log collection on that node. … |
| Remediation | Upgrade fluent-plugin-s3 to version 1.8.5, which is the vendor-released patch resolving this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xv9w-7v6q-hpjh