CVE-2026-41726
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
A vulnerability in Spring for Apache Kafka allows an attacker producer to unboundedly increase the consumer's heap memory usage by sending records with unique `spring.kafka.serialization.selector` header values, leading to GC thrash and OutOfMemoryError.
Risk Assessment
The risk is a potential Denial of Service (DoS) attack on applications using DelegatingDeserializer, which may result in service unavailability.
Recommendation
It is recommended to immediately upgrade Spring for Apache Kafka to version 4.0.6, 3.3.16, 3.2.14, or 2.9.14 (depending on the branch used) and avoid using DelegatingDeserializer in production environments without additional safeguards.
Original NVD description (English source)
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

