Description
A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Published: 2026-06-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote denial‑of‑service flaw arises when a malicious user triggers an integer overflow during the RESTORE IntSet command in Apache Kvrocks. The overflow corrupts internal data structures, causing the server process to crash. This vulnerability can be leveraged by an attacker sending a crafted payload over the network without needing any special privileges, leading to an interruption of service for all clients. The issue is tied to a classic integer‑overflow weakness.

Affected Systems

Apache Kvrocks versions from 2.6.0 through 2.15.0 are affected. The vendor recommends moving to version 2.16.0 to apply the fix.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. EPSS data is not available, so the current exploitation probability is unknown; however, since the flaw is remote and does not require authentication, it remains a valid threat vector. The vulnerability is not listed in the CISA KEV catalog, but any exposed Kvrocks instance remains vulnerable until patched.

Generated by OpenCVE AI on June 25, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kvrocks to version 2.16.0 or later to eliminate the integer overflow and stop the DoS condition.
  • If an upgrade is not immediately possible, isolate the Kvrocks service from untrusted networks or apply network‑level filtering to block potentially malicious RESTORE commands until a patch is applied.
  • Consider disabling the RESTORE capability in the Kvrocks configuration as a temporary containment measure while monitoring for any exploitation attempts.

Generated by OpenCVE AI on June 25, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kvrocks
Vendors & Products Apache
Apache kvrocks

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Title Apache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoS
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/S:N/AU:N/R:I/V:D/RE:L/U:Amber'}

Subscriptions

Apache Kvrocks
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T13:41:46.849Z

Reserved: 2026-06-12T13:08:56.169Z

Link: CVE-2026-54226

cve-icon Vulnrichment

Updated: 2026-06-25T09:10:00.856Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:00:04Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound