In Spring for Apache Kafka, unbounded delegate cache keyed on...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Basic Information

ID CVE-2026-41726

Source vmware

Published Jun 9, 2026 at 23:48

Affected Product

Vendor Spring

Product Spring for Apache Kafka

Version 4.0.0

Affected Versions Spring Spring for Apache Kafka 4.0.0
Spring Spring for Apache Kafka 3.3.0
Spring Spring for Apache Kafka 3.2.0
Spring Spring for Apache Kafka 2.9.0
Spring Spring for Apache Kafka 2.8.0

CWE Classification

CWE-770

References

spring.io /security/cve-2026-41726

{
    "lastseen": "",
    "description": "When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.",
    "published": "2026-06-09T23:48:51.048Z",
    "modified": "2026-06-09T23:48:51.048Z",
    "type": "cve",
    "title": "In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41726",
    "id": "CVE-2026-41726",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring for Apache Kafka 4.0.0\nSpring Spring for Apache Kafka 3.3.0\nSpring Spring for Apache Kafka 3.2.0\nSpring Spring for Apache Kafka 2.9.0\nSpring Spring for Apache Kafka 2.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring for Apache Kafka",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header_CVE-2026-41726