CVE-2026-11312 in InfiniStore
Summary
by MITRE • 06/05/2026
A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability identified in bytedance InfiniStore up to version 0.2.33 represents a critical performance degradation issue within the KV Map Handler component. This flaw manifests in the purge_kv_map function located in the /src/infinistore.h library file, where the algorithmic complexity becomes inefficient during key-value map purging operations. The vulnerability is classified as a local attack vector, meaning that exploitation requires physical or logical access to the system where InfiniStore is deployed. The affected component serves as a fundamental building block for managing key-value data structures within the storage system, making this vulnerability particularly concerning for applications that rely heavily on efficient data management operations.
The technical implementation of the purge_kv_map function demonstrates poor algorithmic design that leads to excessive computational overhead during cleanup operations. This inefficient complexity typically manifests as increased time complexity that scales poorly with dataset size, potentially leading to denial of service conditions when large key-value maps require purging. The vulnerability aligns with CWE-502 which covers deserialization of untrusted data and potentially related algorithmic complexity issues in data processing functions. The flawed implementation likely involves suboptimal data structure operations or unnecessary iterations that compound during purging activities, creating a performance bottleneck that can be exploited by malicious actors with local access privileges.
From an operational standpoint, this vulnerability presents significant risks to systems running affected versions of InfiniStore, particularly in environments where high-throughput key-value operations are common. The public availability of exploit code means that attackers can readily leverage this weakness to degrade system performance or cause service disruption. The lack of response from the project maintainers despite early issue reporting creates a dangerous scenario where organizations continue to deploy vulnerable versions without proper mitigation strategies. This vulnerability could be weaponized through the ATT&CK framework's privilege escalation and resource exhaustion techniques, where attackers manipulate the inefficient algorithm to consume excessive computational resources. The impact extends beyond simple performance degradation to potentially compromise system availability and data processing capabilities in production environments.
Organizations utilizing affected InfiniStore versions should immediately implement mitigation strategies including updating to patched releases, implementing rate limiting for purging operations, and monitoring for unusual performance patterns that may indicate exploitation attempts. The vulnerability highlights the importance of proper algorithmic complexity analysis in database and storage system components, particularly those handling critical data operations. Security teams should consider implementing network segmentation and access controls to limit local attack vectors while also preparing for potential exploitation through the established ATT&CK framework's resource exhaustion and privilege escalation tactics. Regular security assessments of storage system components are essential to identify similar algorithmic inefficiencies that could present similar vulnerabilities in other parts of the infrastructure stack.