Skip to main content

Apache Fluss CVE-2026-49361

| EUVDEUVD-2026-33600 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 security@apache.org GHSA-4c39-fwgj-4vq7
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 17:23 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 09:16 nvd
HIGH 7.5

DescriptionCVE.org

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.

This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.

Users are recommended to upgrade to version 0.9.1, which fixes the issue.

AnalysisAI

Denial of service in Apache Fluss (incubating) versions 0.8.0 and 0.9.0 allows unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer components by sending specially crafted Netty frame headers. The flaw stems from a misconfigured LengthFieldBasedFrameDecoder accepting Integer.MAX_VALUE (~2GB) as the maximum frame length, enabling memory exhaustion with minimal attacker effort. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.05% (17th percentile), suggesting limited current attacker interest despite the network-reachable attack surface.

Technical ContextAI

Apache Fluss is an incubating streaming storage system designed for real-time analytics, where TabletServer handles data storage/serving and CoordinatorServer manages cluster coordination - both expose Netty-based network endpoints for client and inter-node communication. Netty's LengthFieldBasedFrameDecoder is a standard codec that reads a length prefix from incoming frames and allocates a buffer of that declared size; when the maxFrameLength parameter is set to Integer.MAX_VALUE (2,147,483,647 bytes), an attacker can declare frames up to ~2GB causing the JVM to attempt large heap allocations. This is a textbook instance of CWE-400 (Uncontrolled Resource Consumption), where input validation on size fields is delegated to a sentinel value that effectively disables the safety check.

RemediationAI

Vendor-released patch: Apache Fluss 0.9.1 - upgrade both TabletServer and CoordinatorServer nodes per the Apache advisory at https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373 and the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/05/30/5. If immediate upgrade is not feasible, restrict network reachability to the Fluss TabletServer and CoordinatorServer ports via firewall/security-group rules so only trusted client subnets can connect, which eliminates the unauthenticated remote attack path at the cost of breaking any out-of-segment client access. Monitor JVM heap metrics and configure aggressive heap-exhaustion alerting and automatic restart policies on the affected processes as a detection/recovery control, accepting that this only limits blast radius rather than preventing exploitation.

Share

CVE-2026-49361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy