Plattform
java
Komponente
org.apache.kafka:kafka-clients
Behoben in
3.9.2
4.0.2
4.1.2
3.9.2
CVE-2026-35554 describes a race condition vulnerability affecting the Apache Kafka Java producer client. This flaw allows messages to be silently delivered to incorrect topics, potentially leading to data corruption and misdirection. Versions of the Kafka client up to and including 3.9.1 are vulnerable. A fix is available in version 3.9.2.
The core impact of this race condition lies in the potential for message misdelivery. When a producer batch expires while a network request is still in flight, the associated buffer is prematurely released back into the pool. A subsequent batch, possibly destined for a different topic, can then reuse this buffer, leading to the corruption of the original message's data. This can result in sensitive information being sent to unintended recipients, disrupting data pipelines, and potentially causing operational failures. The blast radius extends to any application relying on the Kafka cluster for reliable message delivery, as the vulnerability is inherent in the client-side logic. While not directly exploitable for remote code execution, the data integrity compromise can have severe consequences depending on the data being transmitted and the downstream systems consuming it. The silent nature of the misdelivery makes detection challenging without robust monitoring and validation mechanisms.
CVE-2026-35554 was published on 2026-04-07. The vulnerability's EPSS score is currently pending evaluation. No public proof-of-concept (POC) exploits are currently known. While no active campaigns targeting this vulnerability have been reported, the potential for silent data corruption warrants careful attention and proactive mitigation. The NVD entry is available at [NVD Link - Placeholder].
Exploit-Status
EPSS
0.04% (11% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-35554 is to upgrade the Apache Kafka client to version 3.9.2 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Implement strict topic access controls to limit the potential impact of misdirected messages. Deploy Web Application Firewall (WAF) or proxy rules to inspect message payloads and routing information, flagging any anomalies or unexpected topic destinations. Enhance monitoring and logging to detect potential message misrouting patterns. Specifically, look for messages appearing on topics they shouldn't be. Consider increasing the delivery.timeout.ms configuration parameter to reduce the likelihood of batch expiration during network requests, though this may impact producer performance. After upgrading to 3.9.2, verify the fix by sending test messages to various topics and confirming that they are delivered to the correct destinations.
Actualice a Apache Kafka Clients versión 3.9.2 o superior, 4.0.2 o superior, 4.1.2 o superior, o 4.2.0 o superior para mitigar la vulnerabilidad de corrupción de mensajes y enrutamiento incorrecto debido a una condición de carrera en el pool de búferes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Race Condition in Apache Kafka client versions up to 3.9.1 that can cause messages to be silently delivered to incorrect topics due to buffer pool mismanagement.
If you are using Apache Kafka client versions 3.9.1 or earlier, you are potentially affected by this vulnerability. Check your Kafka client version immediately.
Upgrade to Apache Kafka client version 3.9.2 or later. If immediate upgrade isn't possible, implement WAF rules and enhance monitoring for message misrouting.
No active campaigns targeting this vulnerability have been reported, but the potential for silent data corruption requires proactive mitigation.
Refer to the Apache Kafka security advisory and the NVD entry for CVE-2026-35554 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.