{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39414", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-08T20:05:11.377Z", "dateUpdated": "2026-04-09T16:17:17.322Z"}, "containers": {"cna": {"title": "MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg"}, {"name": "https://github.com/minio/minio/pull/8200", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/8200"}, {"name": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7"}, {"name": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition", "tags": ["x_refsource_MISC"], "url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": ">= RELEASE.2018-08-18T03-49-57Z, < RELEASE.2025-12-20T04-58-37Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:05:11.377Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required \u2014 a sufficiently large uncompressed CSV with no newlines triggers the same issue."}], "source": {"advisory": "GHSA-h749-fxx7-pwpg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:57:40.322565Z", "id": "CVE-2026-39414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:17.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:57:40.322565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:57:50.671Z"}}], "cna": {"title": "MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing", "source": {"advisory": "GHSA-h749-fxx7-pwpg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2018-08-18T03-49-57Z, < RELEASE.2025-12-20T04-58-37Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg", "name": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/minio/minio/pull/8200", "name": "https://github.com/minio/minio/pull/8200", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7", "name": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition", "name": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required \u2014 a sufficiently large uncompressed CSV with no newlines triggers the same issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:05:11.377Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39414", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:17:17.322Z", "dateReserved": "2026-04-07T00:23:30.595Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:05:11.377Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "AAB60BDE-9136-44FF-AEC2-C00F76E8BB05", "versionEndIncluding": "2025-10-15t17-29-55z", "versionStartIncluding": "2018-08-18t03-49-57z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required \u2014 a sufficiently large uncompressed CSV with no newlines triggers the same issue."}], "id": "CVE-2026-39414", "lastModified": "2026-04-15T19:30:46.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:16:58.877", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/minio/minio/pull/8200"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": ">= RELEASE.2018-08-18T03-49-57Z, < RELEASE.2025-12-20T04-58-37Z"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-04-08T21:24:45.120452+00:00", "value": {"mitigation_remediation": ["Upgrade to a MinIO release newer than RELEASE.2025-12-20T04-58-37Z to eliminate the unbounded memory allocation.", "If an upgrade is not immediately possible, disable the S3 Select feature for affected buckets or on the server to prevent the vulnerable parsing path.", "Implement input validation that rejects CSV files without newline characters or enforces a maximum data size before they reach S3 Select.", "Apply least\u2011privilege controls, ensuring only trusted users have s3:PutObject and s3:GetObject permissions that could trigger S3 Select operations.", "Continuously monitor server logs for OOM crashes and apply patches from the vendor as soon as they become available."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service due to Memory Exhaustion"}, "threat_synthesis": {"affected_systems": "Versions from RELEASE.2018-08-18T03-49-57Z up to but not including RELEASE.2025-12-20T04-58-37Z of the MinIO product are affected. Any instance of MinIO that has the S3 Select feature enabled is vulnerable.", "description_and_impact": "An unbounded memory allocation occurs in MinIO\u2019s S3 Select CSV parsing when a CSV file contains lines longer than available memory. The CSV reader calls ReadBytes('\\n') without a size limit, buffering the entire input until a newline is found. A file without a newline causes the entire content to be read into a single allocation, leading to an out\u2011of\u2011memory crash of the MinIO server process.", "risk_and_exploitability": "The CVSS score of 7.1 reflects a High severity vulnerability that allows any authenticated user with s3:PutObject and s3:GetObject permissions to trigger a denial of service. The EPSS score is not available, but the lack of a known exploit in the KEV catalog does not reduce the risk; attackers can construct a malicious CSV, optionally compressed, to consume large amounts of memory and crash the server. The vulnerability is directly exploitable through S3 operations without additional prerequisites."}}}}, "created": "2026-04-09T08:18:06.285867+00:00", "updated": "2026-04-09T08:27:28.897456+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}