Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.
This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.
Users are recommended to upgrade to version 0.9.1, which fixes the issue.
AnalysisAI
Denial of service in Apache Fluss (incubating) versions 0.8.0 and 0.9.0 allows unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer components by sending specially crafted Netty frame headers. The flaw stems from a misconfigured LengthFieldBasedFrameDecoder accepting Integer.MAX_VALUE (~2GB) as the maximum frame length, enabling memory exhaustion with minimal attacker effort. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.05% (17th percentile), suggesting limited current attacker interest despite the network-reachable attack surface.
Technical ContextAI
Apache Fluss is an incubating streaming storage system designed for real-time analytics, where TabletServer handles data storage/serving and CoordinatorServer manages cluster coordination - both expose Netty-based network endpoints for client and inter-node communication. Netty's LengthFieldBasedFrameDecoder is a standard codec that reads a length prefix from incoming frames and allocates a buffer of that declared size; when the maxFrameLength parameter is set to Integer.MAX_VALUE (2,147,483,647 bytes), an attacker can declare frames up to ~2GB causing the JVM to attempt large heap allocations. This is a textbook instance of CWE-400 (Uncontrolled Resource Consumption), where input validation on size fields is delegated to a sentinel value that effectively disables the safety check.
RemediationAI
Vendor-released patch: Apache Fluss 0.9.1 - upgrade both TabletServer and CoordinatorServer nodes per the Apache advisory at https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373 and the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/05/30/5. If immediate upgrade is not feasible, restrict network reachability to the Fluss TabletServer and CoordinatorServer ports via firewall/security-group rules so only trusted client subnets can connect, which eliminates the unauthenticated remote attack path at the cost of breaking any out-of-segment client access. Monitor JVM heap metrics and configure aggressive heap-exhaustion alerting and automatic restart policies on the affected processes as a detection/recovery control, accepting that this only limits blast radius rather than preventing exploitation.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33600
GHSA-4c39-fwgj-4vq7