CVE-2026-40006
Received Received - Intake

Memory Allocation Failure in Apache IoTDB

Vulnerability report for CVE-2026-40006, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Apache Software Foundation

Description

Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver accepts raw TCP connections on port 9780 with no authentication. The readLength method reads an attacker-controlled 32-bit integer from the socket and readData passes it directly to new byte[length] with no upper-bound check. An unauthenticated attacker can cause the JVM to attempt an allocation of up to 2,147,483,647 bytes per connection, exhausting heap memory and crashing or severely degrading the DataNode process. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache iotdb From 1.0.0 (inc) to 2.0.10 (exc)
apache iotdb 2.0.10

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated TCP connections on port 9780 when the pipe_air_gap_receiver_enabled setting is true in Apache IoTDB.

You can check if the vulnerable service is running and listening on port 9780 using network commands.

  • Use netstat or ss to check for listening TCP ports: netstat -tulnp | grep 9780 or ss -tulnp | grep 9780
  • Use nmap to scan the host for open port 9780: nmap -p 9780 <target-ip>
  • Check the Apache IoTDB configuration file for pipe_air_gap_receiver_enabled=true to confirm if the vulnerable feature is enabled.

Additionally, monitoring JVM heap usage for sudden spikes or crashes of the DataNode process may indicate exploitation attempts.

Mitigation Strategies

Users are recommended to upgrade Apache IoTDB to version 2.0.10, which fixes the vulnerability.

This vulnerability occurs when pipe_air_gap_receiver_enabled=true, allowing unauthenticated raw TCP connections on port 9780. Disabling this setting or restricting access to port 9780 may help mitigate the issue until an upgrade is applied.

Impact Analysis

This vulnerability can severely impact the availability and stability of your Apache IoTDB deployment.

  • An unauthenticated attacker can cause the JVM to allocate excessive memory, leading to heap exhaustion.
  • Heap exhaustion can cause the DataNode process to crash or become severely degraded, resulting in denial of service.
  • Since no authentication is required, the attack can be launched remotely without any credentials.
Executive Summary

This vulnerability exists in Apache IoTDB when the configuration pipe_air_gap_receiver_enabled is set to true. In this state, the IoTDB AirGap pipe receiver accepts raw TCP connections on port 9780 without requiring any authentication.

An attacker can send a specially crafted 32-bit integer to the readLength method, which is then used directly to allocate a byte array without any upper-bound checks. This means the attacker can request an extremely large memory allocation (up to 2,147,483,647 bytes) per connection.

Because there is no limit or throttling on resource allocation and no authentication on this critical function, an unauthenticated attacker can exhaust the JVM heap memory, causing the DataNode process to crash or degrade severely.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart