CVE-2026-41726
Received Received - Intake
Heap Exhaustion in Spring for Apache Kafka

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41726
EUVD
EUVD-2026-35903
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
spring for_apache_kafka From 2.8.0 (inc) to 4.0.5 (inc)
spring for_apache_kafka 4.0.6
spring for_apache_kafka 3.3.16
spring for_apache_kafka 3.2.14
spring for_apache_kafka 2.9.14
spring for_apache_kafka 2.8.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41726 is a vulnerability in Spring for Apache Kafka that occurs when an application uses the DelegatingDeserializer feature. A producer can exploit this by sending records with unique, random values in the "spring.kafka.serialization.selector" header. This causes the consumer's heap memory to grow without limit because the delegate cache grows unbounded, eventually leading to excessive garbage collection and an OutOfMemoryError.

Impact Analysis

This vulnerability can cause the consumer application's heap memory to grow indefinitely, which leads to garbage collection thrashing and eventually an OutOfMemoryError. This can result in application crashes, degraded performance, and denial of service, impacting the availability and reliability of systems using affected versions of Spring for Apache Kafka with DelegatingDeserializer enabled.

Detection Guidance

This vulnerability occurs when an application uses DelegatingDeserializer and a producer sends records with unique random spring.kafka.serialization.selector header values, causing unbounded heap growth.

Detection would involve monitoring Kafka consumer applications for unusual heap memory growth or frequent garbage collection thrashing.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The primary mitigation step is to upgrade Spring for Apache Kafka to a fixed version.

  • Upgrade to version 4.0.6 if you are using 4.0.0 through 4.0.5.
  • Upgrade to version 3.3.16 if you are using 3.3.0 through 3.3.15.
  • Upgrade to version 3.2.14 if you are using 3.2.0 through 3.2.13.
  • Upgrade to version 2.9.14 if you are using 2.9.0 through 2.9.13.
  • Upgrade to version 2.8.12 if you are using 2.8.0 through 2.8.11.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart