CVE-2026-10142
Received Received - Intake
Kafka-Python Protocol Parser DoS via Malicious Frame Length

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-10142
EUVD
EUVD-2026-36123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
databricks kafka-python to 2.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in kafka-python versions prior to 2.3.2 within the protocol parser. It allows a malicious broker or a machine-in-the-middle attacker to cause a denial-of-service by sending a specially crafted 4-byte frame length value that lacks proper bounds validation.

This crafted frame length, when processed by the receive_bytes() function, can trigger either a very large memory allocation (multi-gigabyte) or an uncaught ValueError. Both outcomes cause the connection to hang or break, leading to requests stalling and consumers stopping their heartbeats until the application is restarted.

Impact Analysis

This vulnerability can impact you by causing denial-of-service conditions in your kafka-python client applications.

  • Memory exhaustion due to large allocations triggered by malicious frame lengths.
  • Connections hanging or breaking because of uncaught errors, leading to stalled requests.
  • Consumers stopping their heartbeat signals, which can disrupt message consumption until the client is restarted.
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart