Description
Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when a caller supplies an excessively large size value to the Rust implementation of Apache Thrift. Because the allocator is not bounded, the library may request more memory than intended, exhausting system resources or causing a crash. This can bring down services that depend on Thrift. The weakness is defined as CWE‑789: Uncontrolled Memory Allocation.

Affected Systems

Apache Thrift before version 0.23.0 is affected. This includes all deployments that use the Rust client or server libraries distributed with Apache Thrift prior to that release. The vendor – Apache Software Foundation – has identified the issue in the generic Thrift library. Any system that incorporates these components and accepts external requests that may influence size parameters is at risk.

Risk and Exploitability

Exploitability is likely remote, given that the size value comes from external input in Thrift RPC calls. The EPSS score of < 1% indicates a very low exploitation probability. The absence of a KEV classification also suggests no confirmed widespread attacks, but the flaw can be severe if triggered. The CVSS score of 5.3 indicates a medium severity, reflecting a moderate impact on availability if exploited. Administrators should treat the vulnerability as high risk for availability disruption and apply the vendor’s patch promptly.

Generated by OpenCVE AI on May 5, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or newer to apply the vendor fix.
  • Rebuild any custom Rust components that use Thrift bindings with defensive checks to validate size parameters before they are passed to the allocator.
  • Deploy resource limits, such as cgroup or container constraints, to bound memory usage for Thrift processes, mitigating the impact of unexpected large allocations.
  • Monitor system logs for out‑of‑memory errors or crashes related to Thrift, and alert when unusual allocation patterns are detected.

Generated by OpenCVE AI on May 5, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2f9f-gq7v-9h6m Apache Thrift has a Memory Allocation with Excessive Size Value Vulnerability
History

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 05 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
Weaknesses CWE-789
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-05T19:21:34.278Z

Reserved: 2026-05-04T14:10:22.281Z

Link: CVE-2026-43868

cve-icon Vulnrichment

Updated: 2026-05-05T19:12:21.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T09:16:04.123

Modified: 2026-05-06T18:05:16.190

Link: CVE-2026-43868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:12Z

Weaknesses