fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`
Published: June 25, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-44162 (NVD)
- GHSA: GHSA-xv9w-7v6q-hpjh
GEM
SEVERITY
CVSS v3.x: 2.7 (Low)
UNAFFECTED VERSIONS
< 0.7.0
PATCHED VERSIONS
>= 1.8.5
DESCRIPTION
"The fluent-plugin-s3 plugin (specifically the in_s3 input plugin)
supports reading and decompressing heavily compressed files (such as
gzip, lzma2, and lzop) from Amazon S3. It was discovered that
the plugin read the entire decompressed payload into memory at once
without enforcing a strict size limit.
If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.
Impact
This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162
- https://rubygems.org/gems/fluent-plugin-s3/versions/1.8.5
- https://github.com/fluent/fluent-plugin-s3/blob/master/ChangeLog
- https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0
- https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163
- https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh
- https://github.com/advisories/GHSA-xv9w-7v6q-hpjh