What is the CVSS score of CVE-2026-35554?

CVE-2026-35554 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Java are affected by CVE-2026-35554?

Apache Kafka Java producer client versions 3.9.1, 4.0.1, and 4.1.1 contain a buffer use-after-free vulnerability that can cause messages to be silently routed to incorrect topics during batch…. A patch is available.

Java CVE-2026-35554

EUVD-2026-19631 HIGH

Use After Free (CWE-416)

2026-04-07 apache

GHSA-5qcv-4rpc-jp93

Apache Java Information Disclosure Deserialization Use After Free Memory Corruption Red Hat Suse

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 13:45 euvd

EUVD-2026-19631

Analysis Generated

Apr 07, 2026 - 13:45 vuln.today

CVE Published

Apr 07, 2026 - 13:07 nvd

HIGH 8.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1,146 maven packages depend on org.apache.kafka:kafka-clients (238 direct, 913 indirect)

Ecosystem-wide dependent count for version 2.8.0.

DescriptionNVD

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics.

When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch-potentially destined for a different topic-reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer.

Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic.

Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data.

This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1.

Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.

AnalysisAI

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. …

RemediationAI

Within 24 hours: inventory all Kafka Java producer deployments and identify instances running versions ≤3.9.1, ≤4.0.1, or ≤4.1.1 using dependency scanning tools. Within 7 days: prepare and test upgrade to the next minor version beyond affected ranges (minimum 3.9.2, 4.0.2, or 4.1.2 respectively) in a non-production environment and validate message routing integrity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory