{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/avro/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["avro","avro/v2"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","memory-exhaustion","avro","data-serialization"],"_cs_type":"advisory","_cs_vendors":["Iskorotkov","Hamba"],"content_html":"\u003cp\u003eThe Avro map decoder in \u003ccode\u003eiskorotkov/avro/v2\u003c/code\u003e prior to version 2.33.0 is vulnerable to a denial-of-service attack due to unbounded memory allocation. The decoder processes attacker-controlled block-element counts from the wire format without enforcing an upper bound on the map size. This allows a malicious producer to declare an arbitrarily large map, either in a single block or chunked across multiple blocks, leading to excessive memory consumption and potentially crashing the application due to out-of-memory errors. The vulnerability exists because the map decoder lacked the \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e limit that was present in the slice decoder to prevent similar attacks against arrays. To mitigate this, version 2.33.0 introduces \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e, but it\u0026rsquo;s opt-in, requiring explicit configuration to activate the limit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Avro payload with an extremely large map size declaration.\u003c/li\u003e\n\u003cli\u003eThe payload is sent to a vulnerable Avro decoder instance.\u003c/li\u003e\n\u003cli\u003eThe decoder reads the initial block header, which specifies a large element count.\u003c/li\u003e\n\u003cli\u003eWithout \u003ccode\u003eMaxMapAllocSize\u003c/code\u003e configured, the decoder attempts to allocate memory for the map based on the attacker-controlled size.\u003c/li\u003e\n\u003cli\u003eIf the initial block isn\u0026rsquo;t large enough to exhaust memory, the attacker splits the large map into smaller blocks, each declaring element counts below a per-block threshold.\u003c/li\u003e\n\u003cli\u003eThe decoder reads subsequent block headers and continues allocating memory, growing the map incrementally.\u003c/li\u003e\n\u003cli\u003eThe cumulative memory allocation exceeds available resources.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to an out-of-memory (OOM) error, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition. The affected service becomes unavailable, impacting all users. The severity depends on the resources allocated to the affected service and the size of the map specified in the malicious payload. If not properly configured, applications using affected versions of the Avro decoder are susceptible to memory exhaustion, potentially leading to service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003egithub.com/iskorotkov/avro/v2\u003c/code\u003e version 2.33.0 or later and explicitly set a non-zero value for \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e based on your schema\u0026rsquo;s requirements as described in the mitigation section.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003egithub.com/hamba/avro/v2\u003c/code\u003e, migrate to \u003ccode\u003egithub.com/iskorotkov/avro/v2 \u0026gt;= v2.33.0\u003c/code\u003e and configure \u003ccode\u003eMaxMapAllocSize\u003c/code\u003e due to the archived nature of the original module.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Avro Decoder Unbounded Map Allocation Attempt\u0026rdquo; to monitor for unusually large map allocation attempts in Avro decoding processes.\u003c/li\u003e\n\u003cli\u003eImplement resource constraints, such as memory limits within child processes or cgroups, to contain potential OOM errors if immediate upgrades are not feasible.\u003c/li\u003e\n\u003cli\u003eReject inputs from untrusted sources lacking resource controls to prevent potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:02:19Z","date_published":"2026-05-18T13:02:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-avro-map-dos/","summary":"The Avro map decoder accepted attacker-controlled block-element counts, leading to unbounded map growth and potential denial-of-service via memory exhaustion; upgrading to v2.33.0 requires explicit configuration of MaxMapAllocSize to mitigate the vulnerability.","title":"Avro Map Decoder Vulnerable to Denial-of-Service via Unbounded Memory Allocation","url":"https://feed.craftedsignal.io/briefs/2026-05-avro-map-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["avro","avro/v2"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","memory-exhaustion","avro","data-serialization"],"_cs_type":"advisory","_cs_vendors":["Iskorotkov","Hamba"],"content_html":"\u003cp\u003eThe Avro map decoder in \u003ccode\u003eiskorotkov/avro/v2\u003c/code\u003e prior to version 2.33.0 is vulnerable to a denial-of-service attack due to unbounded memory allocation. The decoder processes attacker-controlled block-element counts from the wire format without enforcing an upper bound on the map size. This allows a malicious producer to declare an arbitrarily large map, either in a single block or chunked across multiple blocks, leading to excessive memory consumption and potentially crashing the application due to out-of-memory errors. The vulnerability exists because the map decoder lacked the \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e limit that was present in the slice decoder to prevent similar attacks against arrays. To mitigate this, version 2.33.0 introduces \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e, but it\u0026rsquo;s opt-in, requiring explicit configuration to activate the limit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Avro payload with an extremely large map size declaration.\u003c/li\u003e\n\u003cli\u003eThe payload is sent to a vulnerable Avro decoder instance.\u003c/li\u003e\n\u003cli\u003eThe decoder reads the initial block header, which specifies a large element count.\u003c/li\u003e\n\u003cli\u003eWithout \u003ccode\u003eMaxMapAllocSize\u003c/code\u003e configured, the decoder attempts to allocate memory for the map based on the attacker-controlled size.\u003c/li\u003e\n\u003cli\u003eIf the initial block isn\u0026rsquo;t large enough to exhaust memory, the attacker splits the large map into smaller blocks, each declaring element counts below a per-block threshold.\u003c/li\u003e\n\u003cli\u003eThe decoder reads subsequent block headers and continues allocating memory, growing the map incrementally.\u003c/li\u003e\n\u003cli\u003eThe cumulative memory allocation exceeds available resources.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to an out-of-memory (OOM) error, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition. The affected service becomes unavailable, impacting all users. The severity depends on the resources allocated to the affected service and the size of the map specified in the malicious payload. If not properly configured, applications using affected versions of the Avro decoder are susceptible to memory exhaustion, potentially leading to service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003egithub.com/iskorotkov/avro/v2\u003c/code\u003e version 2.33.0 or later and explicitly set a non-zero value for \u003ccode\u003eConfig.MaxMapAllocSize\u003c/code\u003e based on your schema\u0026rsquo;s requirements as described in the mitigation section.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003egithub.com/hamba/avro/v2\u003c/code\u003e, migrate to \u003ccode\u003egithub.com/iskorotkov/avro/v2 \u0026gt;= v2.33.0\u003c/code\u003e and configure \u003ccode\u003eMaxMapAllocSize\u003c/code\u003e due to the archived nature of the original module.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Avro Decoder Unbounded Map Allocation Attempt\u0026rdquo; to monitor for unusually large map allocation attempts in Avro decoding processes.\u003c/li\u003e\n\u003cli\u003eImplement resource constraints, such as memory limits within child processes or cgroups, to contain potential OOM errors if immediate upgrades are not feasible.\u003c/li\u003e\n\u003cli\u003eReject inputs from untrusted sources lacking resource controls to prevent potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:02:19Z","date_published":"2026-05-18T13:02:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-avro-map-dos/","summary":"The Avro map decoder accepted attacker-controlled block-element counts, leading to unbounded map growth and potential denial-of-service via memory exhaustion; upgrading to v2.33.0 requires explicit configuration of MaxMapAllocSize to mitigate the vulnerability.","title":"Avro Map Decoder Vulnerable to Denial-of-Service via Unbounded Memory Allocation","url":"https://feed.craftedsignal.io/briefs/2026-05-avro-map-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Avro","version":"https://jsonfeed.org/version/1.1"}