Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11312

CVE-2026-11312: ByteDance InfiniStore DoS Vulnerability

CVE-2026-11312 is a denial of service vulnerability in ByteDance InfiniStore affecting versions up to 0.2.33. The flaw enables local attackers to exploit inefficient algorithms. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-11312 Overview

CVE-2026-11312 affects ByteDance InfiniStore versions up to 0.2.33. The vulnerability resides in the purge_kv_map function within the /src/infinistore.h library, part of the KV Map Handler component. Manipulation of this function triggers inefficient algorithmic complexity, classified under [CWE-404] Improper Resource Shutdown or Release. The flaw requires local access and authenticated low-privilege execution. A public exploit has been disclosed, but ByteDance has not responded to the upstream issue report at the time of publication. The weakness can degrade service performance through resource exhaustion rather than enabling code execution or data theft.

Critical Impact

Local attackers with low privileges can trigger algorithmic complexity attacks against the InfiniStore KV Map Handler, causing availability degradation in affected deployments.

Affected Products

  • ByteDance InfiniStore versions up to and including 0.2.33
  • KV Map Handler component (/src/infinistore.h)
  • purge_kv_map function in the InfiniStore library

Discovery Timeline

  • 2026-06-05 - CVE-2026-11312 published to NVD
  • 2026-06-05 - Last updated in NVD database

Technical Details for CVE-2026-11312

Vulnerability Analysis

The vulnerability is an algorithmic complexity flaw in ByteDance InfiniStore, a distributed key-value (KV) cache designed for large-scale inference workloads. The defective code path lives in purge_kv_map, declared in /src/infinistore.h. This routine handles removal of entries from the in-memory KV map structure. When an attacker submits specially crafted inputs that influence the purge logic, the function performs operations with worse-than-expected time complexity. Repeated invocation exhausts CPU resources on the affected node. The issue is local in nature, meaning the attacker must already have access to the host or its local IPC interfaces. Successful exploitation does not compromise confidentiality or integrity, but it degrades availability of the cache service.

Root Cause

The root cause is improper resource shutdown and release within the purge_kv_map function, mapped to [CWE-404]. The function does not bound the work performed per purge operation. Inputs that maximize iteration cost force the algorithm into degenerate behavior, consuming CPU cycles disproportionate to the request size.

Attack Vector

The attack vector is local. A low-privileged user on the same host invokes the affected code path through the InfiniStore client API or local interface. The attacker submits inputs that trigger the inefficient algorithmic path inside purge_kv_map. A public exploit has been disclosed through VulDB, increasing the likelihood of opportunistic use against unpatched deployments.

The vulnerability manifests in the KV map purge logic. Technical details for reproduction are tracked in the upstream issue referenced in the GitHub Issue #200 and the VulDB CVE-2026-11312 entry.

Detection Methods for CVE-2026-11312

Indicators of Compromise

  • Sustained high CPU utilization on InfiniStore worker processes without proportional request volume
  • Elevated latency or timeouts on KV cache purge operations and dependent inference jobs
  • Repeated local invocations of the InfiniStore client API from a single low-privileged user

Detection Strategies

  • Profile the InfiniStore process for time spent inside purge_kv_map using perf or equivalent sampling tools
  • Establish a CPU and latency baseline for the KV Map Handler and alert on statistical deviation
  • Audit local process execution and IPC connections to InfiniStore endpoints from non-administrative accounts

Monitoring Recommendations

  • Forward InfiniStore application logs and host telemetry to a centralized analytics platform for correlation
  • Track per-user invocation counts of cache purge operations to identify abuse patterns
  • Monitor host-level resource saturation metrics on nodes running InfiniStore versions at or below 0.2.33

How to Mitigate CVE-2026-11312

Immediate Actions Required

  • Inventory all hosts running ByteDance InfiniStore and identify instances at version 0.2.33 or earlier
  • Restrict local access to InfiniStore hosts to trusted operators and service accounts only
  • Monitor the ByteDance InfiniStore GitHub repository for an upstream fix

Patch Information

No vendor patch is available at the time of publication. The maintainers were notified through the upstream issue tracker but have not responded. Track remediation status via the GitHub Issue #200 and the VulDB Vulnerability #368398 entry.

Workarounds

  • Enforce strict operating system-level access controls to prevent unauthorized local users from reaching the InfiniStore interface
  • Apply resource limits using cgroups or ulimit to cap CPU consumption by the InfiniStore process
  • Rate-limit cache purge operations at the application layer where feasible
  • Isolate InfiniStore workloads in dedicated containers or namespaces to contain availability impact
bash
# Example: constrain InfiniStore CPU usage with systemd to limit DoS impact
sudo systemctl set-property infinistore.service CPUQuota=200%
sudo systemctl set-property infinistore.service TasksMax=512
sudo systemctl daemon-reload
sudo systemctl restart infinistore.service

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.