CVE-2026-41726
6.5 MEDIUMWhen an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with uniqu...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-770
Description
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6
- CVE-2026-41716 — Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhau... (7.5 HIGH)
- CVE-2026-28237 — Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of ...
- CVE-2026-49955 — Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade... (5.3 MEDIUM)
- CVE-2026-42570 — Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job (7.5 HIGH)