CVE-2026-49361
Heap Exhaustion in Apache Fluss via Netty Frame Decoding
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | fluss | 0.8.0 |
| apache | fluss | 0.9.0 |
| apache | fluss | to 0.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Fluss versions prior to 0.9.1, where the Netty LengthFieldBasedFrameDecoder is configured with Integer.MAX_VALUE as the maximum frame length.
Because of this configuration, unauthenticated remote attackers can send specially crafted frame headers that cause the JVM heap memory on TabletServer and CoordinatorServer to be exhausted.
This leads to a denial of service condition, making the affected servers unavailable.
How can this vulnerability impact me? :
The vulnerability can be exploited by unauthenticated remote attackers to exhaust the JVM heap memory on critical components such as TabletServer and CoordinatorServer.
This results in a denial of service, potentially causing service outages and disruption of operations that rely on Apache Fluss.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Fluss to version 0.9.1, which fixes the issue.