Description
Out-of-bounds Read vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Out‑of‑Bounds Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in Apache Thrift’s C++ JSON parser. The flaw allows a decoding of serialized data to read memory beyond the bounds of a buffer, potentially exposing internal structures or sensitive data. The associated weakness is CWE‑125, indicating that unvalidated bounds are used when accessing memory.

Affected Systems

Systems running Apache Thrift prior to version 0.23.0 are affected. This includes all deployments that rely on the distributed serialization library for cross‑language communications. The CVSS score of 6.5 indicates a moderate risk, and the impact is a direct leak of confidential information.

Risk and Exploitability

The exploitation requires an attacker to provide crafted JSON input that is parsed by Thrift on the target system. No public exploit is documented, and the EPSS score is < 1%. The vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 6.5 indicates a moderate risk, and while the likelihood of active exploitation remains low given the very low EPSS, the potential for sensitive data exposure remains significant.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which removes the out‑of‑bounds read bug.
  • Apply network segmentation to isolate Thrift services from untrusted networks, reducing the surface for crafted JSON inputs.
  • Implement runtime memory bounds checking or use hardened compiler settings to detect and prevent out‑of‑bounds reads in the C++ JSON parser.

Generated by OpenCVE AI on April 28, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: C++ JSON OOB read
Weaknesses CWE-125
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:24:09.966Z

Reserved: 2026-04-21T22:10:15.634Z

Link: CVE-2026-41607

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:12.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.573

Modified: 2026-04-28T18:39:19.963

Link: CVE-2026-41607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses