CVE-2026-39414

Impact

What kind of vulnerability is it? Who is impacted?

MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV 

files containing lines longer than available memory. The CSV reader's nextSplit() 

function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire 

input in memory until a newline is found. A CSV file with no newline characters 

causes the entire contents to be read into a single allocation, leading to an OOM

crash of the MinIO server process.

This is exploitable by any authenticated user with s3:PutObject and s3:GetObject 

permissions. The attack is especially practical when combined with compression: 

a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without 

newlines, allowing a small upload to cause large memory consumption on 

the server. However, compression is not required — a sufficiently large uncompressed 

CSV with no newlines triggers the same issue.

Affected component: internal/s3select/csv/reader.go, function

nextSplit().

CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)

Affected Versions

All MinIO releases are through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV. 

The CSV reader has used unbounded line reads since this commit (originally via 

Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor 

in PR #8200. 

The first affected release is RELEASE.2018-08-18T03-49-57Z.

Patches

Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z

The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a

byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no

newline is found within this limit, the reader returns an error instead of

continuing to buffer.

Binary Downloads

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio           |

| Linux    | arm64        | minio           |

| macOS    | arm64        | minio          |

| macOS    | amd64        | minio          |

| Windows  | amd64        | minio.exe |

FIPS Binaries

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio.fips |

| Linux    | arm64        | minio.fips |

Package Downloads

| Format | Architecture | Download                                                                                                                            |

| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |

| DEB    | amd64        | minio20251220045837.0.0amd64.deb         |

| DEB    | arm64        | minio20251220045837.0.0arm64.deb         |

| RPM    | amd64        | minio-20251220045837.0.0-1.x86_64.rpm   |

| RPM    | arm64        | minio-20251220045837.0.0-1.aarch64.rpm |

Container Images

## Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
## FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

• Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z or later.

If upgrading is not immediately possible:

• Disable S3 Select access via IAM policy. Deny the s3:GetObject action

  with a condition restricting s3:prefix on sensitive buckets, or more

  specifically, deny SelectObjectContent requests at a reverse proxy by

  blocking POST requests with ?select&select-type=2 query parameters.

• Restrict PutObject permissions. Limit s3:PutObject grants to trusted

  principals to reduce the attack surface. Note: this reduces risk but does not

  eliminate the vulnerability since any authorized user can exploit it.

References

• Introducing commit: 7c14cdb60 (PR #6127)
• MinIO AIStor