Description
Uncontrolled Recursion vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled recursion in the Apache Thrift c_glib dispatch layer that can cause a stack overflow. If an attacker sends a specially crafted request, the dispatcher recurses without bounds, exhausting stack memory. This can lead to a denial‑of‑service.

Affected Systems

The flaw exists in Apache Thrift packages prior to version 0.23.0. Systems running any of these older releases are susceptible. Upgrading to 0.23.0 or later removes the recursion flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is <1%, suggesting a low likelihood of exploitation. The flaw is not currently listed in CISA KEV. Based on the server‑side nature of Thrift, the attack vector is inferred to be a remote attacker sending malicious RPC payloads. No exploitation proof has been disclosed yet, but the absence of mitigations in older versions makes exploitation plausible if a trusted client sends the recursive input.

Generated by OpenCVE AI on May 1, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later to apply the stack‑overflow fix.
  • Rebuild and redeploy all services that link against the Thrift client and server libraries to ensure the updated code is in use.
  • If upgrading is delayed, adjust application or network controls to limit the size or depth of RPC calls and monitor for abnormal crashes, as a temporary mitigation against the recursion attack.

Generated by OpenCVE AI on May 1, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 29 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 28 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: c_glib dispatch stack overflow
Weaknesses CWE-674
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:25:48.294Z

Reserved: 2026-04-21T21:32:46.659Z

Link: CVE-2026-41606

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:09.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.463

Modified: 2026-04-28T18:39:41.027

Link: CVE-2026-41606

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T09:21:12Z

Links: CVE-2026-41606 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses