CVE-2026-39414
ADVISORY - githubSummary
Impact
What kind of vulnerability is it? Who is impacted?
MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV
files containing lines longer than available memory. The CSV reader's nextSplit()
function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire
input in memory until a newline is found. A CSV file with no newline characters
causes the entire contents to be read into a single allocation, leading to an OOM
crash of the MinIO server process.
This is exploitable by any authenticated user with s3:PutObject and s3:GetObject
permissions. The attack is especially practical when combined with compression:
a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without
newlines, allowing a small upload to cause large memory consumption on
the server. However, compression is not required — a sufficiently large uncompressed
CSV with no newlines triggers the same issue.
Affected component: internal/s3select/csv/reader.go, function
nextSplit().
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected Versions
All MinIO releases are through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV.
The CSV reader has used unbounded line reads since this commit (originally via
Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor
in PR #8200.
The first affected release is RELEASE.2018-08-18T03-49-57Z.
Patches
Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z
The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a
byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no
newline is found within this limit, the reader returns an error instead of
continuing to buffer.
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20251220045837.0.0_amd64.deb |
| DEB | arm64 | minio_20251220045837.0.0_arm64.deb |
| RPM | amd64 | minio-20251220045837.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20251220045837.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
Disable S3 Select access via IAM policy. Deny the
s3:GetObjectaction with a condition restrictings3:prefixon sensitive buckets, or more specifically, denySelectObjectContentrequests at a reverse proxy by blockingPOSTrequests with?select&select-type=2query parameters.Restrict PutObject permissions. Limit
s3:PutObjectgrants to trusted principals to reduce the attack surface. Note: this reduces risk but does not eliminate the vulnerability since any authorized user can exploit it.
References
- Introducing commit:
7c14cdb60(PR #6127) - MinIO AIStor
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in