CVE-2026-39414 — Allocation of Resources Without Limits or Throttling in Minio Minio

CWE-770 — Allocation of Resources Without Limits or Throttling4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 84.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Minio Minio Minio

Timeline

PublishedApr 8

Latest updateApr 9

Description

MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a si…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gogithub.com/minio_minio0.0.0-20180815103019-7c14cdb60e53 — 0.0.0-20251203081239-27742d469462

▶CVEListV5minio/minio>= RELEASE.2018-08-18T03-49-57Z, < RELEASE.2025-12-20T04-58-37Z

🔴Vulnerability Details

GHSA

MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing↗2026-04-09

▶

OSV

MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing↗2026-04-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-39414 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶