CVE-2026-35554

EPSS 0.04%
Veröffentlicht 07.04.2026 13:07:08
Zuletzt bearbeitet 08.04.2026 21:27:15
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics.

When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer.


Data Confidentiality:
Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic.

Data Integrity:
Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data.

This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and  ≤ 4.1.1.

Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerApache Software Foundation

≫

Produkt Apache Kafka Clients

Default Statusunaffected

Version <= 3.9.1

Version 2.8.0

Status affected

Version <= 4.0.1

Version 4.0.0

Status affected

Version <= 4.1.1

Version 4.1.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.119

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.7	2.2	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://issues.apache.org/jira/browse/KAFKA-19012

https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6

http://www.openwall.com/lists/oss-security/2026/04/07/6

https://nvd.nist.gov/vuln/detail/CVE-2026-35554

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35554

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35554

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35554