Skip to main content

Apache IoTDB EUVDEUVD-2026-42835

| CVE-2026-40007 HIGH
Uncontrolled Recursion (CWE-674)
2026-07-10 apache GHSA-4644-hpfg-x44q
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated remote socket triggers a reliable crash (AV:N/AC:L/PR:N/UI:N) with availability-only impact and no confidentiality or integrity loss (C:N/I:N/A:H); the non-default feature requirement is a precondition, not a base metric.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 10, 2026 - 15:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 15:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
Jul 10, 2026 - 15:22 NVD
7.5 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 10, 2026 - 09:16 EUVD
Analysis Generated
Jul 10, 2026 - 08:31 vuln.today

DescriptionCVE.org

Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticated attacker can send a stream of repeated E-language prefixes that drives the recursion arbitrarily deep, exhausting the receiver thread's JVM stack and raising StackOverflowError.

This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

AnalysisAI

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed AirGap receiver port
Delivery
Open socket to receiver
Exploit
Send repeated E-language prefixes
Execution
Drive unbounded readLength recursion
Persist
Exhaust JVM thread stack
Impact
StackOverflowError crashes receiver (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target IoTDB instance be configured with pipe_air_gap_receiver_enabled=true - the AirGap pipe receiver is not enabled by default - and that its receiver socket be reachable from the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals broadly agree that this is a real but moderate-priority availability issue rather than a critical emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates a network-reachable IoTDB instance running with pipe_air_gap_receiver_enabled=true and opens a socket to the AirGap receiver port. They send a single stream containing many repeated E-language prefixes; the receiver recurses one level per prefix until the thread's JVM stack is exhausted, throwing StackOverflowError and killing the receiver thread. …
Remediation Vendor-released patch: 2.0.10 - upgrade Apache IoTDB to 2.0.10, which fixes the recursion in the AirGap receiver's readLength method, as advised by Apache at https://lists.apache.org/thread/tr23kh6kp8drrsv8ypv1mqm4v5kyy23m. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all IoTDB deployments and confirm whether pipe_air_gap_receiver_enabled is set to true; if disabled or unused, the vulnerability poses minimal risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40008 CRITICAL
9.8 Jul 10

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in

CVE-2026-28564 CRITICAL
9.8 Jul 10

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag

CVE-2026-24014 CRITICAL
9.8 Jul 06

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re

CVE-2026-40005 CRITICAL
9.1 Jul 10

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB

CVE-2026-40006 HIGH
7.5 Jul 10

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the

CVE-2026-24012 HIGH
7.5 Jul 06

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi

CVE-2026-40452 HIGH
7.5 Jul 10

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las

CVE-2026-24013 CRITICAL
9.1 Jul 06

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth

CVE-2026-40009 MEDIUM
6.5 Jul 10

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own

CVE-2025-64152 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil

CVE-2025-55017 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi

Share

EUVD-2026-42835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy