CVE-2026-11312 Overview
CVE-2026-11312 affects ByteDance InfiniStore versions up to 0.2.33. The vulnerability resides in the purge_kv_map function within the /src/infinistore.h library, part of the KV Map Handler component. Manipulation of this function triggers inefficient algorithmic complexity, classified under [CWE-404] Improper Resource Shutdown or Release. The flaw requires local access and authenticated low-privilege execution. A public exploit has been disclosed, but ByteDance has not responded to the upstream issue report at the time of publication. The weakness can degrade service performance through resource exhaustion rather than enabling code execution or data theft.
Critical Impact
Local attackers with low privileges can trigger algorithmic complexity attacks against the InfiniStore KV Map Handler, causing availability degradation in affected deployments.
Affected Products
- ByteDance InfiniStore versions up to and including 0.2.33
- KV Map Handler component (/src/infinistore.h)
- purge_kv_map function in the InfiniStore library
Discovery Timeline
- 2026-06-05 - CVE-2026-11312 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-11312
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw in ByteDance InfiniStore, a distributed key-value (KV) cache designed for large-scale inference workloads. The defective code path lives in purge_kv_map, declared in /src/infinistore.h. This routine handles removal of entries from the in-memory KV map structure. When an attacker submits specially crafted inputs that influence the purge logic, the function performs operations with worse-than-expected time complexity. Repeated invocation exhausts CPU resources on the affected node. The issue is local in nature, meaning the attacker must already have access to the host or its local IPC interfaces. Successful exploitation does not compromise confidentiality or integrity, but it degrades availability of the cache service.
Root Cause
The root cause is improper resource shutdown and release within the purge_kv_map function, mapped to [CWE-404]. The function does not bound the work performed per purge operation. Inputs that maximize iteration cost force the algorithm into degenerate behavior, consuming CPU cycles disproportionate to the request size.
Attack Vector
The attack vector is local. A low-privileged user on the same host invokes the affected code path through the InfiniStore client API or local interface. The attacker submits inputs that trigger the inefficient algorithmic path inside purge_kv_map. A public exploit has been disclosed through VulDB, increasing the likelihood of opportunistic use against unpatched deployments.
The vulnerability manifests in the KV map purge logic. Technical details for reproduction are tracked in the upstream issue referenced in the GitHub Issue #200 and the VulDB CVE-2026-11312 entry.
Detection Methods for CVE-2026-11312
Indicators of Compromise
- Sustained high CPU utilization on InfiniStore worker processes without proportional request volume
- Elevated latency or timeouts on KV cache purge operations and dependent inference jobs
- Repeated local invocations of the InfiniStore client API from a single low-privileged user
Detection Strategies
- Profile the InfiniStore process for time spent inside purge_kv_map using perf or equivalent sampling tools
- Establish a CPU and latency baseline for the KV Map Handler and alert on statistical deviation
- Audit local process execution and IPC connections to InfiniStore endpoints from non-administrative accounts
Monitoring Recommendations
- Forward InfiniStore application logs and host telemetry to a centralized analytics platform for correlation
- Track per-user invocation counts of cache purge operations to identify abuse patterns
- Monitor host-level resource saturation metrics on nodes running InfiniStore versions at or below 0.2.33
How to Mitigate CVE-2026-11312
Immediate Actions Required
- Inventory all hosts running ByteDance InfiniStore and identify instances at version 0.2.33 or earlier
- Restrict local access to InfiniStore hosts to trusted operators and service accounts only
- Monitor the ByteDance InfiniStore GitHub repository for an upstream fix
Patch Information
No vendor patch is available at the time of publication. The maintainers were notified through the upstream issue tracker but have not responded. Track remediation status via the GitHub Issue #200 and the VulDB Vulnerability #368398 entry.
Workarounds
- Enforce strict operating system-level access controls to prevent unauthorized local users from reaching the InfiniStore interface
- Apply resource limits using cgroups or ulimit to cap CPU consumption by the InfiniStore process
- Rate-limit cache purge operations at the application layer where feasible
- Isolate InfiniStore workloads in dedicated containers or namespaces to contain availability impact
# Example: constrain InfiniStore CPU usage with systemd to limit DoS impact
sudo systemctl set-property infinistore.service CPUQuota=200%
sudo systemctl set-property infinistore.service TasksMax=512
sudo systemctl daemon-reload
sudo systemctl restart infinistore.service
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

