EUVD-2026-35903
GHSA-xvfq-4q6q-gxx7
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (vmware).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.
Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
AnalysisAI
Unbounded heap growth in Spring for Apache Kafka's DelegatingDeserializer allows an authenticated network producer to trigger a Denial of Service against any consumer application that opts into this deserializer. By flooding the consumer with Kafka records carrying unique, randomized spring.kafka.serialization.selector header values, an attacker forces unbounded cache growth on the consumer's JVM heap, ultimately inducing GC thrash and OutOfMemoryError. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must explicitly opt into Spring for Apache Kafka's DelegatingDeserializer - this is not the default configuration, so deployments using standard StringDeserializer, JsonDeserializer, or other non-delegating implementations are not vulnerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 (Medium) is broadly accurate for this class of vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with authenticated Kafka producer credentials - for instance, a compromised microservice or a malicious tenant in a shared Kafka cluster - writes a high-volume stream of records to a topic consumed by a target Spring application using DelegatingDeserializer. Each record carries a different randomly generated spring.kafka.serialization.selector header value, causing the consumer to accumulate unbounded cache entries on its JVM heap. … |
| Remediation | The vendor advisory at https://spring.io/security/cve-2026-41726 should be consulted for confirmed fixed versions, as no explicit patch release versions were included in the input data; based on the affected ranges, versions beyond 4.0.5, 3.3.15, 3.2.13, 2.9.13, and 2.8.11 respectively are the expected fix targets but this must be verified against the advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-
Share
External POC / Exploit Code
Leaving vuln.today