Description
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.
Published: 2026-06-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

kafka‑python versions before 2.3.2 allow a denial‑of‑service condition when a broker or a man‑in‑the‑middle attacker sends a specially crafted 4‑byte frame length through the receive_bytes() function. This value is used directly to allocate memory or trigger a ValueError without bounds validation; as a result, a client can experience either a multi‑gigabyte memory allocation or a broken connection that holds requests in a hung state, causing consumers to stop heartbeat traffic until the connection is reset. The weakness is a classic absence of bounds checking that can lead to resource exhaustion or memory allocation errors (CWE‑789, CWE‑770).

Affected Systems

The affected product is kafka‑python, version 2.3.1 and earlier, distributed by Dana Powers on the Python Package index. Applications that use these versions to connect to a broker or any network endpoint that could be spoofed or controlled by an attacker are at risk.

Risk and Exploitability

The CVSS score of 8.7 classifies this vulnerability as high severity. The EPSS score is less than 1%, indicating a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog, indicating that there is currently no public evidence of exploitation. The likely attack vector is network‑based: an attacker who can send or modify traffic to a kafka‑python client can trigger the vulnerable frame length parsing path. Because the failure causes memory exhaustion or a connection hang, the impact is local to the client process but can propagate to service outages if the failing client is part of a critical data pipeline.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to kafka‑python version 2.3.2 or later to remove the unchecked frame length handling.
  • Restrict client network access to trusted brokers and apply firewall or TLS filtering to mitigate the transmission of malicious frame lengths.
  • Consider implementing a process watchdog to monitor for memory usage and automatically restart stale consumers.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 11 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Dpkp
Dpkp kafka-python
CPEs cpe:2.3:a:dpkp:kafka-python:*:*:*:*:*:python:*:*
Vendors & Products Dpkp
Dpkp kafka-python

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dana Powers
Dana Powers kafka-python
Vendors & Products Dana Powers
Dana Powers kafka-python

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.
Title kafka-python prior to 2.3.2 Denial of Service via Protocol Parser Frame Length
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Dana Powers Kafka-python
Dpkp Kafka-python
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:13:42.149Z

Reserved: 2026-05-29T21:38:32.287Z

Link: CVE-2026-10142

cve-icon Vulnrichment

Updated: 2026-06-11T14:12:58.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:55.350

Modified: 2026-06-11T19:10:45.923

Link: CVE-2026-10142

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T20:13:11Z

Links: CVE-2026-10142 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-789

    Memory Allocation with Excessive Size Value