GHSA-H749-FXX7-PWPG

Vulnerability from github – Published: 2026-04-09 17:32 – Updated: 2026-04-09 17:32
VLAI?
Summary
MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
Details

Impact

What kind of vulnerability is it? Who is impacted?

MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process.

This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.

Affected component: internal/s3select/csv/reader.go, function nextSplit().

CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)

Affected Versions

All MinIO releases are through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV. The CSV reader has used unbounded line reads since this commit (originally via Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor in PR #8200.

The first affected release is RELEASE.2018-08-18T03-49-57Z.

Patches

Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z

The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no newline is found within this limit, the reader returns an error instead of continuing to buffer.

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Format Architecture Download
DEB amd64 minio_20251220045837.0.0_amd64.deb
DEB arm64 minio_20251220045837.0.0_arm64.deb
RPM amd64 minio-20251220045837.0.0-1.x86_64.rpm
RPM arm64 minio-20251220045837.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Disable S3 Select access via IAM policy. Deny the s3:GetObject action with a condition restricting s3:prefix on sensitive buckets, or more specifically, deny SelectObjectContent requests at a reverse proxy by blocking POST requests with ?select&select-type=2 query parameters.

  • Restrict PutObject permissions. Limit s3:PutObject grants to trusted principals to reduce the attack surface. Note: this reduces risk but does not eliminate the vulnerability since any authorized user can exploit it.

References

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20180815103019-7c14cdb60e53"
            },
            {
              "last_affected": "0.0.0-20251203081239-27742d469462"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T17:32:31Z",
    "nvd_published_at": "2026-04-08T21:16:58Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nMinIO\u0027s S3 Select feature is vulnerable to memory exhaustion when processing CSV \nfiles containing lines longer than available memory. The CSV reader\u0027s `nextSplit()` \nfunction calls `bufio.Reader.ReadBytes(\u0027\\n\u0027)` with no size limit, buffering the entire \ninput in memory until a newline is found. A CSV file with no newline characters \ncauses the entire contents to be read into a single allocation, leading to an OOM\ncrash of the MinIO server process.\n\nThis is exploitable by any authenticated user with `s3:PutObject` and `s3:GetObject` \npermissions. The attack is especially practical when combined with compression: \na ~2 MB gzip-compressed CSV can decompress to gigabytes of data without \nnewlines, allowing a small upload to cause large memory consumption on \nthe server. However, compression is not required \u2014 a sufficiently large uncompressed \nCSV with no newlines triggers the same issue.\n\n**Affected component:** `internal/s3select/csv/reader.go`, function\n`nextSplit()`.\n\n**CWE:** CWE-770 (Allocation of Resources Without Limits or Throttling)\n\n### Affected Versions\n\nAll MinIO releases are through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV. \nThe CSV reader has used unbounded line reads since this commit (originally via \nGo\u0027s stdlib `encoding/csv.Reader`, later via `bufio.Reader.ReadBytes` after a refactor \nin [PR #8200](https://github.com/minio/minio/pull/8200). \n\nThe first affected release is `RELEASE.2018-08-18T03-49-57Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2025-12-20T04-58-37Z\n\nThe fix replaces the unbounded `bufio.Reader.ReadBytes(\u0027\\n\u0027)` call with a\nbyte-at-a-time loop that caps line scanning at 128 KB (`csvSplitSize`). If no\nnewline is found within this limit, the reader returns an error instead of\ncontinuing to buffer.\n\n#### Binary Downloads\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)           |\n| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)           |\n| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)          |\n| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)          |\n| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download                                                                                                                            |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB    | amd64        | [minio_20251220045837.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20251220045837.0.0_amd64.deb)         |\n| DEB    | arm64        | [minio_20251220045837.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20251220045837.0.0_arm64.deb)         |\n| RPM    | amd64        | [minio-20251220045837.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20251220045837.0.0-1.x86_64.rpm)   |\n| RPM    | arm64        | [minio-20251220045837.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20251220045837.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2025-12-20T04-58-37Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Disable S3 Select access via IAM policy.** Deny the `s3:GetObject` action\n  with a condition restricting `s3:prefix` on sensitive buckets, or more\n  specifically, deny `SelectObjectContent` requests at a reverse proxy by\n  blocking `POST` requests with `?select\u0026select-type=2` query parameters.\n\n- **Restrict PutObject permissions.** Limit `s3:PutObject` grants to trusted\n  principals to reduce the attack surface. Note: this reduces risk but does not\n  eliminate the vulnerability since any authorized user can exploit it.\n\n### References\n\n- Introducing commit: [`7c14cdb60`](https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7) ([PR #6127](https://github.com/minio/minio/pull/6127))\n- [MinIO AIStor](https://min.io/aistor)",
  "id": "GHSA-h749-fxx7-pwpg",
  "modified": "2026-04-09T17:32:31Z",
  "published": "2026-04-09T17:32:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39414"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/8200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7"
    },
    {
      "type": "WEB",
      "url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.