Platform
java
Component
org.apache.kafka:kafka-clients
Fixed in
3.9.2
4.0.2
4.1.2
3.9.2
CVE-2026-35554 describes a race condition vulnerability affecting the Apache Kafka Java producer client. This flaw allows messages to be silently delivered to incorrect topics, potentially leading to data corruption and misdirection. Versions of the Kafka client up to and including 3.9.1 are vulnerable. A fix is available in version 3.9.2.
The core impact of this race condition lies in the potential for message misdelivery. When a producer batch expires while a network request is still in flight, the associated buffer is prematurely released back into the pool. A subsequent batch, possibly destined for a different topic, can then reuse this buffer, leading to the corruption of the original message's data. This can result in sensitive information being sent to unintended recipients, disrupting data pipelines, and potentially causing operational failures. The blast radius extends to any application relying on the Kafka cluster for reliable message delivery, as the vulnerability is inherent in the client-side logic. While not directly exploitable for remote code execution, the data integrity compromise can have severe consequences depending on the data being transmitted and the downstream systems consuming it. The silent nature of the misdelivery makes detection challenging without robust monitoring and validation mechanisms.
CVE-2026-35554 was published on 2026-04-07. The vulnerability's EPSS score is currently pending evaluation. No public proof-of-concept (POC) exploits are currently known. While no active campaigns targeting this vulnerability have been reported, the potential for silent data corruption warrants careful attention and proactive mitigation. The NVD entry is available at [NVD Link - Placeholder].
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-35554 is to upgrade the Apache Kafka client to version 3.9.2 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Implement strict topic access controls to limit the potential impact of misdirected messages. Deploy Web Application Firewall (WAF) or proxy rules to inspect message payloads and routing information, flagging any anomalies or unexpected topic destinations. Enhance monitoring and logging to detect potential message misrouting patterns. Specifically, look for messages appearing on topics they shouldn't be. Consider increasing the delivery.timeout.ms configuration parameter to reduce the likelihood of batch expiration during network requests, though this may impact producer performance. After upgrading to 3.9.2, verify the fix by sending test messages to various topics and confirming that they are delivered to the correct destinations.
Actualice a Apache Kafka Clients versión 3.9.2 o superior, 4.0.2 o superior, 4.1.2 o superior, o 4.2.0 o superior para mitigar la vulnerabilidad de corrupción de mensajes y enrutamiento incorrecto debido a una condición de carrera en el pool de búferes.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Race Condition in Apache Kafka client versions up to 3.9.1 that can cause messages to be silently delivered to incorrect topics due to buffer pool mismanagement.
If you are using Apache Kafka client versions 3.9.1 or earlier, you are potentially affected by this vulnerability. Check your Kafka client version immediately.
Upgrade to Apache Kafka client version 3.9.2 or later. If immediate upgrade isn't possible, implement WAF rules and enhance monitoring for message misrouting.
No active campaigns targeting this vulnerability have been reported, but the potential for silent data corruption requires proactive mitigation.
Refer to the Apache Kafka security advisory and the NVD entry for CVE-2026-35554 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.