Skip to main content

fluent-plugin-s3 CVE-2026-44162

LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-26 https://github.com/fluent/fluent-plugin-s3 GHSA-xv9w-7v6q-hpjh
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
2.7 LOW

Requires S3 bucket write access (PR:H); attack initiated remotely via S3 API (AV:N); impact confined to Fluentd process availability only (A:L, C:N, I:N).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 17:51 vuln.today
Analysis Generated
Jun 26, 2026 - 17:51 vuln.today

DescriptionGitHub Advisory

The fluent-plugin-s3 plugin (specifically the in_s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.

If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.

Impact

This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.

Patches

v1.8.5

Workarounds

If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:

  1. Restrict Bucket Access
  • Ensure that write (PUT) access to the S3 bucket monitored by in_s3 is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.

AnalysisAI

Memory exhaustion via decompression bomb in fluent-plugin-s3's in_s3 input plugin enables an attacker with S3 bucket write access to crash the Fluentd log collection process. Versions 0.7.0 through 1.8.4 decompress gzip, lzma2, and lzop files from S3 into memory with no size cap, allowing a crafted high-ratio compressed payload to trigger an OS OOM kill and disrupt all log ingestion on the affected node. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain S3 bucket write IAM credentials
Delivery
Craft decompression bomb (gzip/lzma2/lzop)
Exploit
Upload malicious file to monitored S3 bucket
Execution
Fluentd in_s3 plugin polls and retrieves file
Persist
Unbounded decompression exhausts node memory
Impact
OOM kill terminates Fluentd process

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possesses IAM permissions sufficient to upload objects (s3:PutObject or equivalent) to the specific S3 bucket and prefix being monitored by the `in_s3` plugin - this is the primary limiting factor (CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 2.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L) accurately characterizes this as low severity given the high-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or already possesses IAM credentials with s3:PutObject permissions on the monitored bucket uploads a crafted decompression bomb - for example, a sub-megabyte gzip file that expands to tens of gigabytes - into the S3 prefix monitored by Fluentd's `in_s3` plugin. When Fluentd's polling cycle picks up the object and calls the relevant extractor, memory consumption ramps rapidly until the Linux OOM killer terminates the Fluentd process, halting all log collection on that node. …
Remediation Upgrade fluent-plugin-s3 to version 1.8.5, which is the vendor-released patch resolving this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy