CVE-2026-10142
Analyzed Analyzed - Analysis Complete

Kafka-Python Protocol Parser DoS via Malicious Frame Length

Vulnerability report for CVE-2026-10142, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: VulnCheck

Description

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dpkp kafka-python to 2.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for symptoms such as hung connections, stalled requests, or consumers that stop heartbeating, which indicate that the kafka-python client is in a broken state due to the denial-of-service attack.

Since the vulnerability involves receiving a specially crafted 4-byte frame length that triggers excessive memory allocation or uncaught exceptions, network traffic analysis tools can be used to inspect Kafka protocol frames for abnormal or unusually large frame length values.

While no specific commands are provided in the resources, general detection steps could include:

  • Using packet capture tools like tcpdump or Wireshark to capture Kafka traffic and filter for frames with suspiciously large length fields.
  • Monitoring application logs for uncaught ValueError exceptions or connection hang events related to kafka-python.
  • Checking for kafka-python versions prior to 2.3.2 in your environment, as these are vulnerable.
Executive Summary

The vulnerability exists in kafka-python versions prior to 2.3.2 within the protocol parser. It allows a malicious broker or a machine-in-the-middle attacker to cause a denial-of-service by sending a specially crafted 4-byte frame length value that lacks proper bounds validation.

This crafted frame length, when processed by the receive_bytes() function, can trigger either a very large memory allocation (multi-gigabyte) or an uncaught ValueError. Both outcomes cause the connection to hang or break, leading to requests stalling and consumers stopping their heartbeats until the application is restarted.

Impact Analysis

This vulnerability can impact you by causing denial-of-service conditions in your kafka-python client applications.

  • Memory exhaustion due to large allocations triggered by malicious frame lengths.
  • Connections hanging or breaking because of uncaught errors, leading to stalled requests.
  • Consumers stopping their heartbeat signals, which can disrupt message consumption until the client is restarted.
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The primary immediate mitigation step is to upgrade kafka-python to version 2.3.2 or later, where the vulnerability has been patched by adding proper validation of frame lengths and SASL/SCRAM iteration counts.

If upgrading immediately is not possible, consider monitoring and restricting network traffic to trusted Kafka brokers only, to reduce the risk of malicious frame injection.

Additionally, restarting affected kafka-python clients can temporarily restore functionality if they have entered a broken state due to this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart