CVE-2026-39414

Published: Apr 08, 2026 Last Modified: Apr 15, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high

Description

AI Translation Available

MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 8 Days)

770

Allocation of Resources Without Limits or Throttling

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
Application

Minio by Minio

Product Information
Vendor Minio
Product Minio
Version Range Affected
From 2018-08-18t03-49-57z (inclusive)
To 2025-10-15t17-29-55z (inclusive)
cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://docs.min.io/enterprise/aistor-object-store/upgrade-…
https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/commun…
https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be…
https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7
https://github.com/minio/minio/pull/8200
https://github.com/minio/minio/pull/8200
https://github.com/minio/minio/security/advisories/GHSA-h74…
https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg