CVE-2026-35554 - Vulnerability Details

- Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

Description

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics.

When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer.

Data Confidentiality:
Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic.

Data Integrity:
Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data.

This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1.

Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.

Published: 2026-04-07

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Apache Kafka Java producer client’s buffer pool causes a produced batch to expire while still travelling on the network. The batch’s ByteBuffer is released prematurely and may be reused for another batch destined for a different topic. The result is that messages are silently delivered to unintended topics, exposing data to unauthorized consumers and corrupting downstream processing. This flaw can lead to significant confidentiality and integrity risks because the producer receives no error notification.

Affected Systems

The vulnerability affects Apache Kafka clients from versions up to and including 3.9.1, 4.0.1, and 4.1.1. Users should update to version 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to remediate the flaw.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity attack with potential for major impact. The EPSS score is < 1%, indicating a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no public exploits have been reported. The likely attack vector is through any active producer client that can send a high volume of produce requests to a Kafka cluster, attempting to trigger the race condition. Successful exploitation would not require privileged access; it merely needs network connectivity to the producer and Kafka broker, which are common in many deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Kafka Clients

unaffected

Version	Status	Constraints
`2.8.0`	affected	≤ 3.9.1
`4.0.0`	affected	≤ 4.0.1
`4.1.0`	affected	≤ 4.1.1

No data.

Vendor Product Confidence Versions

Apache

Kafka

100%

Version	Status	Scheme	Platform
`[2.8.0,3.9.1]`	affected	semver	—
`[4.0.0,4.0.1]`	affected	semver	—
`[4.1.0,4.1.1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade all Kafka client instances to at least 3.9.2, 4.0.2, 4.1.2, or 4.2.0.
Ensure that all production and testing environments deploy the updated client library and redeploy producer applications.
Enable monitoring for unexpected message routing events and review consumer logs for deserialization errors or data anomalies.

Generated by OpenCVE AI on April 21, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5qcv-4rpc-jp93	Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/07/6
https://issues.apache.org/jira/browse/KAFKA-19012
https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
https://nvd.nist.gov/vuln/detail/CVE-2026-35554
https://www.cve.org/CVERecord?id=CVE-2026-35554

History

Tue, 21 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://nvd.nist.gov/vuln/detail/CVE-2026-35554 https://www.cve.org/CVERecord?id=CVE-2026-35554
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache kafka
Vendors & Products		Apache Apache kafka

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/07/6

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic. Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data. This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.
Title		Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition
Weaknesses		CWE-362 CWE-416
References		https://issues.apache.org/jira/browse/KAFKA-19012 https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Apache Kafka

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-07T13:07:08.679Z

Updated: 2026-04-07T16:23:31.521Z

Reserved: 2026-04-03T11:08:30.442Z

Link: CVE-2026-35554

Vulnrichment

Updated: 2026-04-07T16:23:31.521Z

NVD

Status : Awaiting Analysis

Published: 2026-04-07T14:16:23.413

Modified: 2026-04-08T21:27:15.610

Link: CVE-2026-35554

Redhat

Severity : Moderate

Publid Date: 2026-04-07T13:07:08Z

Links: CVE-2026-35554 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object