CVE-2026-39414: MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
What kind of vulnerability is it? Who is impacted?
MinIO’s S3 Select feature is vulnerable to memory exhaustion when processing CSV
files containing lines longer than available memory. The CSV reader’s nextSplit()
function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire
input in memory until a newline is found. A CSV file with no newline characters
causes the entire contents to be read into a single allocation, leading to an OOM
crash of the MinIO server process.
This is exploitable by any authenticated user with s3:PutObject and s3:GetObject
permissions. The attack is especially practical when combined with compression:
a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without
newlines, allowing a small upload to cause large memory consumption on
the server. However, compression is not required — a sufficiently large uncompressed
CSV with no newlines triggers the same issue.
Affected component: internal/s3select/csv/reader.go, function
nextSplit().
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
References
- docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition
- github.com/advisories/GHSA-h749-fxx7-pwpg
- github.com/minio/minio
- github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7
- github.com/minio/minio/pull/8200
- github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg
- nvd.nist.gov/vuln/detail/CVE-2026-39414
Code Behaviors & Features
Detect and mitigate CVE-2026-39414 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →