Summary
Affected Versions
All MinIO releases are through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV.
The CSV reader has used unbounded line reads since this commit (originally via
Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor
in PR #8200.
The first affected release is RELEASE.2018-08-18T03-49-57Z.
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20251220045837.0.0_amd64.deb |
| DEB | arm64 | minio_20251220045837.0.0_arm64.deb |
| RPM | amd64 | minio-20251220045837.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20251220045837.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
Disable S3 Select access via IAM policy. Deny the
s3:GetObjectaction
with a condition restrictings3:prefixon sensitive buckets, or more
specifically, denySelectObjectContentrequests at a reverse proxy by
blockingPOSTrequests with?select&select-type=2query parameters.Restrict PutObject permissions. Limit
s3:PutObjectgrants to trusted
principals to reduce the attack surface. Note: this reduces risk but does not
eliminate the vulnerability since any authorized user can exploit it.
References
- Introducing commit:
7c14cdb60(PR #6127) - MinIO AIStor
Impact
What kind of vulnerability is it? Who is impacted?
MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV
files containing lines longer than available memory. The CSV reader's nextSplit()
function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire
input in memory until a newline is found. A CSV file with no newline characters
causes the entire contents to be read into a single allocation, leading to an OOM
crash of the MinIO server process.
This is exploitable by any authenticated user with s3:PutObject and s3:GetObject
permissions. The attack is especially practical when combined with compression:
a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without
newlines, allowing a small upload to cause large memory consumption on
the server. However, compression is not required, a sufficiently large uncompressed
CSV with no newlines triggers the same issue.
Affected component: internal/s3select/csv/reader.go, functionnextSplit().
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z
The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a
byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no
newline is found within this limit, the reader returns an error instead of
continuing to buffer.
Frequently Asked Questions
- What is CVE-2026-39414? CVE-2026-39414 is a high-severity allocation of resources without limits or throttling vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20180815103019-7c14cdb60e53, <= 0.0.0-20251203081239-27742d469462. No fixed version is listed yet. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
- Which versions of github.com/minio/minio are affected by CVE-2026-39414? github.com/minio/minio (go) versions >= 0.0.0-20180815103019-7c14cdb60e53, <= 0.0.0-20251203081239-27742d469462 is affected.
- Is there a fix for CVE-2026-39414? No fixed version is listed for CVE-2026-39414 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-39414 exploitable, and should I be worried? Whether CVE-2026-39414 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-39414 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-39414? No fixed version is listed yet. In the interim: Apply per-request resource limits and enforce them before allocation. Rate-limit callers at the network or application layer.