Description
Uncontrolled Recursion vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stack overflow from uncontrolled recursion that can crash Thrift services, leading to denial‑of‑service.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an uncontrolled recursion in the Apache Thrift c_glib dispatch layer that can cause a stack overflow. If an attacker sends a specially crafted request, the dispatcher recurses without bounds, exhausting stack memory. This can lead to a denial‑of‑service.

Affected Systems

The flaw exists in Apache Thrift packages prior to version 0.23.0. Systems running any of these older releases are susceptible. Upgrading to 0.23.0 or later removes the recursion flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is <1%, suggesting a low likelihood of exploitation. The flaw is not currently listed in CISA KEV. Based on the server‑side nature of Thrift, the attack vector is inferred to be a remote attacker sending malicious RPC payloads. No exploitation proof has been disclosed yet, but the absence of mitigations in older versions makes exploitation plausible if a trusted client sends the recursive input.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later to apply the stack‑overflow fix.
  • Rebuild and redeploy all services that link against the Thrift client and server libraries to ensure the updated code is in use.
  • If upgrading is delayed, adjust application or network controls to limit the size or depth of RPC calls and monitor for abnormal crashes, as a temporary mitigation against the recursion attack.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 28 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: c_glib dispatch stack overflow
Weaknesses CWE-674
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:25:48.294Z

Reserved: 2026-04-21T21:32:46.659Z

Link: CVE-2026-41606

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.463

Modified: 2026-04-28T18:39:41.027

Link: CVE-2026-41606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses