CVE Catalog

CVE-2026-41726

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

A vulnerability in Spring for Apache Kafka allows an attacker producer to unboundedly increase the consumer's heap memory usage by sending records with unique `spring.kafka.serialization.selector` header values, leading to GC thrash and OutOfMemoryError.

Risk Assessment

The risk is a potential Denial of Service (DoS) attack on applications using DelegatingDeserializer, which may result in service unavailability.

Recommendation

It is recommended to immediately upgrade Spring for Apache Kafka to version 4.0.6, 3.3.16, 3.2.14, or 2.9.14 (depending on the branch used) and avoid using DelegatingDeserializer in production environments without additional safeguards.

Original NVD description (English source)

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS