CVE-2026-41726

ADVISORY - github

Summary

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.

Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

EPSS Score⁠: 0.0004 (0.124)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-770⁠

Allocation of Resources Without Limits or Throttling

ADVISORY - github

CWE-770⁠

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories

NIST

CREATED

4 days ago

UPDATED

3 days ago

ADVISORY IDCVE-2026-41726⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.5medium

GitHub

CREATED

4 days ago

UPDATED

24 hours ago

ADVISORY IDGHSA-xvfq-4q6q-gxx7⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.5medium