CVE-2026-46384: CWE-190: Integer Overflow or Wraparound in iskorotkov avro
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads — all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.
AI Analysis
Technical Summary
The iskorotkov avro Go codec before version 2.33.0 contains multiple integer overflow and wraparound issues (CWE-190). On 32-bit architectures, narrowing 64-bit attacker-controlled values to platform-sized integers before bounds checking can bypass byte-slice limits or cause incorrect union branch selection. Additionally, on all platforms, cumulative size arithmetic in array and map decoders can overflow, bypassing allocation size caps. Negation of math.MinInt in block-header handling and creating slices with negative sizes during OCF block reads can cause panics or denial-of-service. These vulnerabilities allow attackers to cause crashes or memory allocation issues. The issues are resolved in version 2.33.0.
Potential Impact
Exploitation of these integer overflow and wraparound flaws can lead to denial-of-service by causing panics or bypassing memory allocation limits, potentially crashing applications using the affected avro codec. There is no indication of remote code execution or data corruption beyond denial-of-service. The vulnerability affects both 32-bit and 64-bit platforms.
Mitigation Recommendations
Upgrade iskorotkov avro to version 2.33.0 or later, where these integer overflow vulnerabilities are fixed. No official patch or temporary workaround is indicated beyond updating to the fixed version.
CVE-2026-46384: CWE-190: Integer Overflow or Wraparound in iskorotkov avro
Description
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads — all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The iskorotkov avro Go codec before version 2.33.0 contains multiple integer overflow and wraparound issues (CWE-190). On 32-bit architectures, narrowing 64-bit attacker-controlled values to platform-sized integers before bounds checking can bypass byte-slice limits or cause incorrect union branch selection. Additionally, on all platforms, cumulative size arithmetic in array and map decoders can overflow, bypassing allocation size caps. Negation of math.MinInt in block-header handling and creating slices with negative sizes during OCF block reads can cause panics or denial-of-service. These vulnerabilities allow attackers to cause crashes or memory allocation issues. The issues are resolved in version 2.33.0.
Potential Impact
Exploitation of these integer overflow and wraparound flaws can lead to denial-of-service by causing panics or bypassing memory allocation limits, potentially crashing applications using the affected avro codec. There is no indication of remote code execution or data corruption beyond denial-of-service. The vulnerability affects both 32-bit and 64-bit platforms.
Mitigation Recommendations
Upgrade iskorotkov avro to version 2.33.0 or later, where these integer overflow vulnerabilities are fixed. No official patch or temporary workaround is indicated beyond updating to the fixed version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T19:53:47.922Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a19feb4e29bf47b500fc2dd
Added to database: 5/29/2026, 9:01:40 PM
Last enriched: 5/29/2026, 9:04:17 PM
Last updated: 5/31/2026, 4:54:46 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.