CVE-2026-35554
Race Condition in Apache Kafka Producer Causes Message Misdelivery
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | kafka | to 3.9.1 (inc) |
| apache | kafka | to 4.0.1 (inc) |
| apache | kafka | to 4.1.1 (inc) |
| apache | kafka | 3.9.2 |
| apache | kafka | 4.0.2 |
| apache | kafka | 4.1.2 |
| apache | kafka | 4.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Apache Kafka Java producer client's buffer pool management. When a batch of messages expires due to a timeout while still being sent over the network, its buffer is prematurely freed and returned to the pool. If a new batch reuses this freed buffer before the original network request finishes, the buffer contents can become corrupted.
As a result, messages may be silently delivered to incorrect topics without any error reported to the producer. This means messages intended for one topic might appear in another topic.
The issue affects Apache Kafka versions up to 3.9.1, 4.0.1, and 4.1.1 and was fixed in later versions such as 3.9.2 and above.
Additionally, the misrouting is extremely rare but can happen in small bursts and is more frequent on higher volume topics. It mainly affects clients using a non-zero linger setting.
How can this vulnerability impact me? :
This vulnerability can impact you by causing messages to be delivered to incorrect topics, potentially exposing sensitive data to unintended consumers.
Data confidentiality is at risk because messages meant for one topic may be read by consumers who have access only to a different topic.
Data integrity is also affected since consumers may receive unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data.
Such issues can disrupt normal operations, cause application errors, and potentially expose sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes messages to be silently delivered to incorrect topics, which can be detected by monitoring for misrouted messages that do not match the expected topic.
One practical detection method is to add a header containing the intended topic to each message before sending. Consumers can then check this header against the topic from which the message was received to identify misrouted messages.
Misrouted messages often occur in small bursts (2-3 messages close in time from different hosts) and may coincide with cluster events such as broker restarts or network errors.
While no specific commands are provided in the resources, a suggested approach is to use Kafka consumer tools or scripts to inspect message headers and compare them to the topic name, filtering or logging discrepancies for further analysis.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Apache Kafka clients to versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later, where this vulnerability has been fixed.
As an interim mitigation, users have added a header containing the intended topic to each message before sending. This allows consumers to detect and filter out misrouted messages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to messages being delivered to incorrect topics, potentially exposing sensitive data to unauthorized consumers who have access to the destination topic but not the intended source topic.
Such unintended data exposure can violate data confidentiality requirements mandated by regulations like GDPR and HIPAA, which require strict controls over who can access sensitive information.
Additionally, the corruption and misdelivery of messages can compromise data integrity, causing processing errors and corrupted downstream data, which may further impact compliance with standards that require data accuracy and integrity.