Which versions of kafka-python are affected by EUVD-2026-36123?

The kafka-python client library vulnerability (CVE-2026-10142, CVSS 8.7) enables denial-of-service attacks against organizations running Kafka-based data pipelines, allowing network-adjacent…. A patch is available.

How to fix or mitigate EUVD-2026-36123?

Within 24 hours: Inventory all kafka-python deployments and identify affected versions (prior to 2.3.2) across development, staging, and production environments. Within 7 days: Validate kafka-python 2.3.2 or later in staging and initiate phased deployment beginning with non-production clusters. Within 30 days: Complete production rollout of kafka-python 2.3.2 or later across all consumer applications and Kafka client instances.

kafka-python EUVD-2026-36123

Q: What is the CVSS score of EUVD-2026-36123?

EUVD-2026-36123 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-10142 HIGH

Memory Allocation with Excessive Size Value (CWE-789)

2026-06-10 VulnCheck

GHSA-m3px-q5gj-j9x7

Python Information Disclosure

8.7

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

7.5 HIGH

Triggered by a single unauthenticated network frame from a broker-positioned attacker; pure availability impact (OOM or hung connection), no confidentiality or integrity loss, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 10, 2026 - 22:33 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 10, 2026 - 22:32 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 10, 2026 - 22:22 vuln.today

cvss_changed

CVSS changed

Jun 10, 2026 - 22:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

Jun 10, 2026 - 21:17 vuln.today

Analysis Generated

Jun 10, 2026 - 21:17 vuln.today

DescriptionCVE.org

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.

Articles & Coverage 2

News 7 New Python Vulnerabilities - 1 Critical, 6 High Severity Jun 11, 2026 News 6 New Python Vulnerabilities - 1 Critical, 5 High Severity Jun 10, 2026

AnalysisAI

Denial of service in the kafka-python client library (versions prior to 2.3.2) allows a malicious Kafka broker or man-in-the-middle attacker to exhaust client memory or wedge connections by sending a crafted 4-byte frame length header. The protocol parser's receive_bytes() function performs no bounds check on the declared frame size, leading to multi-gigabyte allocations or uncaught ValueError exceptions that stop consumer heartbeats. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Position as malicious or impersonated broker

Delivery

Victim client opens Kafka connection

Exploit

Send response frame with oversized 4-byte length prefix

Execution

receive_bytes() skips bounds check

Persist

Multi-GB allocation or uncaught ValueError

Impact

Consumer process OOM or heartbeat stalls

Access

Position as malicious or impersonated broker

Delivery

Victim client opens Kafka connection

Exploit

Send response frame with oversized 4-byte length prefix

Execution

receive_bytes() skips bounds check

Persist

Multi-GB allocation or uncaught ValueError

Impact

Consumer process OOM or heartbeat stalls

Vulnerability AssessmentAI

Exploitation	Attacker must be able to deliver bytes to the kafka-python client's TCP socket as if they were a Kafka broker response - either by operating a broker the victim bootstraps against, compromising a legitimate broker, or sitting on the network path of a non-TLS Kafka connection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 4.0 8.7 is driven entirely by VA:H with VC:N/VI:N - this is a pure availability bug, not RCE or data exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who controls a Kafka broker the victim client connects to (e.g., a malicious tenant in a shared cluster, a rogue insider, or a network attacker on plaintext Kafka traffic) sends a response frame whose 4-byte length prefix declares ~2 GB. The kafka-python parser attempts to allocate that buffer, exhausting victim process memory and triggering OOM-kill, or alternatively raises an uncaught ValueError that leaves the consumer's connection state broken and stops group heartbeats until the process is restarted. …
Remediation	Vendor-released patch: upgrade kafka-python to 2.3.2 or later, which adds bounds checking in KafkaProtocol.receive_bytes() via _validate_frame_size() and exposes a configurable receive_message_max_bytes ceiling (default 1 MB at the connection layer). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all kafka-python deployments and identify affected versions (prior to 2.3.2) across development, staging, and production environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL Act Now

9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T

CVE-2026-47731 CRITICAL Act Now

9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-41065 HIGH This Week

8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst

CVE-2026-43984 HIGH This Week