CVE-2026-49361 - Vulnerability Details

- Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Description

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.

This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.

Users are recommended to upgrade to version 0.9.1, which fixes the issue.

Published: 2026-06-01

Score: 7.5 High

EPSS: 1.0% Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Fluss versions before 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with a maximum frame length of Integer.MAX_VALUE, which allows an unauthenticated remote attacker to send specially crafted frame headers that exhaust JVM heap memory. The resulting denial of service renders the TabletServer and CoordinatorServer unable to process requests until the heap is reclaimed.

Affected Systems

The affected product is Apache Fluss (incubating) versions 0.8.0 and 0.9.0, identified by the Apache Software Foundation.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is < 1%. Although the EPSS indicates a very low probability of exploitation, the CVSS score reflects a high severity, underscoring the potential for significant impact. The vulnerability enables an attacker with network access to the Fluss servers to submit malformed frames that consume all JVM heap memory, leading to service disruption. The issue is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated, inferred from the description that the attacker can send crafted frame headers to the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Fluss (incubating)

unaffected

Version	Status	Constraints
`0.8.0`	affected	—
`0.9.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:apache:fluss:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Fluss (incubating)

100%

Version	Status	Scheme	Platform
`0.8.0`	affected	semver	—
`0.9.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Fluss to version 0.9.1
If an upgrade is not immediately possible, block or severely restrict inbound network traffic that could reach the Fluss servers from untrusted sources
Monitor JVM heap usage for sudden spikes that may indicate a memory exhaustion attack

Generated by OpenCVE AI on June 1, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01008.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/30/5
https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache fluss (incubating)
Vendors & Products		Apache fluss (incubating)

Mon, 01 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache fluss
CPEs		cpe:2.3:a:apache:fluss::::::::
Vendors & Products		Apache Apache fluss

Mon, 01 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/30/5

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.
Title		Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability
Weaknesses		CWE-400 CWE-770
References		https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373

Subscriptions

Apache Fluss Fluss (incubating)

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:57:27.038Z

Updated: 2026-06-01T16:48:51.369Z

Reserved: 2026-05-29T15:44:37.184Z

Link: CVE-2026-49361

Vulnrichment

Updated: 2026-06-01T09:52:52.052Z

NVD

Status : Analyzed

Published: 2026-06-01T09:16:20.880

Modified: 2026-06-01T18:24:06.450

Link: CVE-2026-49361

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:54:52Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object