Description
Integer Overflow or Wraparound vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an integer overflow in the Swift Compact Protocol implementation of Apache Thrift, affecting all releases before 0.23.0. The overflow flaw can cause unbounded memory allocation or corruption when the protocol processes malformed input, potentially leading to program crashes, denial of service, or other adverse effects if the memory corruption is not mitigated.

Affected Systems

The flaw resides in the Apache Thrift library distributed by the Apache Software Foundation. All Thrift components built from versions prior to 0.23.0 are affected. No specific operating system or distribution dependencies are listed.

Risk and Exploitability

The EPSS score of < 1% indicates a very low exploitation probability, and the CVSS score of 7.3 reflects a high severity. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported. The likely attack vector is remote, targeting a Thrift service that accepts Swift Compact Protocol messages; local exploitation would require the attacker to reach a service bound to a trusted network. Exploitation would involve sending oversized or malformed protocol data to trigger an integer overflow that could cause memory corruption or a crash. The lack of public exploits suggests that attackers must craft custom attacks and that the vulnerability is not yet automated.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which implements bounds checking for the Swift Compact Protocol.
  • Disable or remove support for the Swift Compact Protocol in your Thrift deployments if the protocol is not required, to eliminate the vulnerable code path.
  • If disabling the protocol is not feasible, configure strict input validation and size limits on Thrift services that accept external connections, and monitor logs for unusually large or malformed messages.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Swift Compact Protocol integer overflow
Weaknesses CWE-190
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:27:11.129Z

Reserved: 2026-04-21T21:32:12.142Z

Link: CVE-2026-41605

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:07.473Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.350

Modified: 2026-04-28T18:39:57.227

Link: CVE-2026-41605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses