CVE-2026-41604
Out-of-Bounds Read in Apache Thrift Before
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | thrift | to 0.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41604 is a moderate severity out-of-bounds read vulnerability affecting Apache Thrift versions prior to 0.23.0.
This vulnerability allows unauthorized access to memory outside the intended bounds, which can lead to information disclosure or application instability.
The issue is fixed in Apache Thrift version 0.23.0.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to memory outside the intended bounds.
This may result in information disclosure or cause the affected application to become unstable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-41604 vulnerability in Apache Thrift, users are strongly advised to upgrade to Apache Thrift version 0.23.0 or later, as this version contains the fix for the out-of-bounds read issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an out-of-bounds read in Apache Thrift that can lead to unauthorized access to memory outside intended bounds, potentially causing information disclosure.
Such information disclosure risks could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access.
However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with these standards.