{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41726", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-22T06:21:39.014Z", "datePublished": "2026-06-09T23:48:51.048Z", "dateUpdated": "2026-06-27T21:14:56.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-27T21:14:56.775Z"}, "title": "In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "A producer can exhaust a consumer's heap without bound by sending Kafka records with unique random spring.kafka.serialization.selector header values when DelegatingDeserializer is configured."}]}], "affected": [{"vendor": "Spring", "product": "Spring for Apache Kafka", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.5.1", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.15.1", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.14", "versionType": "custom"}, {"status": "affected", "version": "2.9.0", "lessThan": "2.9.14", "versionType": "custom"}, {"status": "affected", "version": "2.8.0", "lessThan": "2.8.12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41726"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-10T17:38:31.984058Z", "id": "CVE-2026-41726", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T17:40:20.549Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41726", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-10T17:38:31.984058Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T17:40:11.443Z"}}], "cna": {"title": "In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "A producer can exhaust a consumer's heap without bound by sending Kafka records with unique random spring.kafka.serialization.selector header values when DelegatingDeserializer is configured."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring for Apache Kafka", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.5.1", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.15.1", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.14", "versionType": "custom"}, {"status": "affected", "version": "2.9.0", "lessThan": "2.9.14", "versionType": "custom"}, {"status": "affected", "version": "2.8.0", "lessThan": "2.8.12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-41726"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.", "supportingMedia": [{"type": "text/html", "value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-27T21:14:56.775Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41726", "state": "PUBLISHED", "dateUpdated": "2026-06-27T21:14:56.775Z", "dateReserved": "2026-04-22T06:21:39.014Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-09T23:48:51.048Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."}], "id": "CVE-2026-41726", "lastModified": "2026-06-10T19:24:04.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-10T00:16:52.030", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-41726"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "spring-kafka: Spring-kafka: Denial of Service due to unbounded heap growth via unique header values", "id": "2487380", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487380"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.", "A flaw was found in spring-kafka. When an application uses the DelegatingDeserializer, a malicious producer can exploit this vulnerability by sending records with unique, random `spring.kafka.serialization.selector` header values. This can cause the consumer's memory (heap) to grow without limits, leading to excessive garbage collection activity and eventually an OutOfMemoryError, resulting in a Denial of Service (DoS) for the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-41726", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-kafka", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-kafka", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-06-09T23:48:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41726\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41726\nhttps://spring.io/security/cve-2026-41726"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.9.0,2.9.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.8.0,2.8.12)"}}], "original": {"product": "Spring for Apache Kafka", "source": "cna", "vendor": "Spring"}, "product": "spring_for_apache_kafka", "vendor": "spring"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.9.0,2.9.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.8.0,2.8.12)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "Spring for Apache Kafka", "source": "cna", "vendor": "Spring"}, "product": "spring_for_apache_kafka", "vendor": "vmware"}], "created": "2026-06-10T01:30:18.171141+00:00", "updated": "2026-06-10T11:21:37.226012+00:00", "vendors": ["spring", "spring$PRODUCT$spring_for_apache_kafka", "vmware", "vmware$PRODUCT$spring_for_apache_kafka"]}