CVE-2026-35554
Race Condition vulnerability in kafka-clients (Maven)
What is CVE-2026-35554 About?
This race condition in Apache Kafka's Java producer client leads to messages being silently delivered to incorrect topics. It results from premature deallocation and reuse of message buffers, corrupting data and compromising confidentiality and integrity. Exploitation requires specific timing and conditions related to message expiration and buffer reuse in a multi-threaded environment, making it moderately difficult to reliably trigger.
Affected Software
- org.apache.kafka:kafka-clients
- >=4.0.0, <4.0.2
- >=4.1.0, <4.1.2
- >=2.8.0, <3.9.2
Technical Details
The vulnerability arises from a race condition in the Apache Kafka Java producer client's buffer pool management. When a message batch expires due to delivery.timeout.ms while a network request containing it is still in flight, its ByteBuffer is prematurely deallocated and returned to the buffer pool. If, concurrently, a subsequent producer batch (potentially destined for a different topic) reuses this freed buffer before the original network request completes, the contents of the buffer become corrupted. This can lead to the original in-flight message being sent with corrupted data, or worse, the subsequent message overwriting data in the buffer and being delivered to an unintended topic without the producer being notified of any error.
What is the Impact of CVE-2026-35554?
Successful exploitation may allow attackers to compromise data confidentiality by misrouting sensitive information, and data integrity by corrupting messages or delivering them to incompatible consumers, leading to deserialization failures and processing errors.
What is the Exploitability of CVE-2026-35554?
Exploitation of this race condition requires a moderate to high level of complexity, demanding precise timing and concurrency to align message expiration, buffer deallocation, and subsequent buffer reuse. There are no authentication or privilege requirements specified, as the vulnerability resides within the producer client's internal logic. This is an internal component vulnerability, not directly exposed remotely for exploitation; an attacker would likely need to control or influence the application using the Kafka producer client. Special conditions include high message throughput, specific delivery.timeout.ms configurations, and network latency that keeps messages in flight longer. Risk factors are increased in highly concurrent applications that push Kafka to its limits, making race conditions more likely to occur.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-35554?
Available Upgrade Options
- org.apache.kafka:kafka-clients
- >=2.8.0, <3.9.2 → Upgrade to 3.9.2
- org.apache.kafka:kafka-clients
- >=4.0.0, <4.0.2 → Upgrade to 4.0.2
- org.apache.kafka:kafka-clients
- >=4.1.0, <4.1.2 → Upgrade to 4.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2026/04/07/6
- https://github.com/apache/kafka/pull/21288
- https://github.com/apache/kafka
- https://nvd.nist.gov/vuln/detail/CVE-2026-35554
- https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
- https://github.com/apache/kafka/pull/21287
- https://github.com/apache/kafka/pull/21285
- https://github.com/apache/kafka/pull/21286
- https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
- https://issues.apache.org/jira/browse/KAFKA-19012
What are Similar Vulnerabilities to CVE-2026-35554?
Similar Vulnerabilities: CVE-2023-43644 , CVE-2023-38546 , CVE-2022-34169 , CVE-2021-39130 , CVE-2020-13936
