CVE-2026-41726: Spring for Apache Kafka Unbounded Memory Allocation in DelegatingDeserializer
Spring for Apache Kafka applications that have enabled DelegatingDeserializer are vulnerable to a resource exhaustion attack where an authenticated attacker can send specially crafted Kafka messages containing random header values. The application will consume increasing amounts of heap memory without releasing it, eventually exhausting available memory and causing the application to crash or become unresponsive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Spring for Apache Kafka's DelegatingDeserializer implementation, which fails to bound memory allocation when processing messages with varying spring.kafka.serialization.selector header values. An attacker with producer credentials can exploit this by sending records with unique random header values, causing the consumer to cache unbounded serializer instances or related metadata. This leads to heap exhaustion, triggering garbage collection thrashing and ultimately OutOfMemoryError exceptions. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
Business impact
Availability disruptions in Kafka-dependent systems can cascade through data pipelines and microservices architectures. Affected applications may experience degraded performance, sudden crashes, or require manual intervention and restarts. In production environments, this translates to data processing delays, failed message consumption, and potential service outages. Organizations relying on Kafka for real-time data ingestion, event streaming, or critical backend services face operational risk and may incur incident response costs.
Affected systems
Spring for Apache Kafka versions 2.8.0–2.8.11, 2.9.0–2.9.13, 3.2.0–3.2.13, 3.3.0–3.3.15, and 4.0.0–4.0.5 are affected. Only applications that have explicitly opted into DelegatingDeserializer functionality are vulnerable. Applications using Spring for Apache Kafka without DelegatingDeserializer are not impacted. VMware Spring for Apache Kafka is the primary affected product; check with VMware for any downstream integrations.
Exploitability
Exploitation requires network access to the Kafka broker and valid producer credentials (Authentication: Low privilege required). An attacker must be able to send messages to topics consumed by the target application. No user interaction or special conditions beyond DelegatingDeserializer enablement are needed. The low barrier to exploitation—once authenticated—combined with a straightforward attack vector (crafted message headers) makes this a practical risk in environments where producer credentials are less tightly controlled than consumer access.
Remediation
Upgrade to patched versions: Spring for Apache Kafka 2.8.12 or later, 2.9.14 or later, 3.2.14 or later, 3.3.16 or later, or 4.0.6 or later (verify exact patch versions against VMware's advisory). If immediate patching is not feasible, disable DelegatingDeserializer if operationally possible, or restrict producer access to trusted systems and monitor heap consumption for anomalous growth. Implement network segmentation to limit Kafka producer connectivity.
Patch guidance
VMware will release patched versions addressing the unbounded memory allocation. Consult the official VMware Spring for Apache Kafka security advisory for exact version numbers and availability. Plan upgrades within your normal change management process, prioritizing production environments. Test patches in a staging environment first, particularly if your deployment relies heavily on DelegatingDeserializer functionality. Monitor application logs and heap metrics post-patch to confirm the fix resolves memory pressure.
Detection guidance
Monitor Spring for Apache Kafka consumer process heap utilization for unexplained growth or sustained high memory use without corresponding increases in message volume. Check for patterns of repeated GC events followed by OutOfMemoryError in application logs. Examine Kafka message headers in traffic targeting your consumers for unusual or random spring.kafka.serialization.selector values, which may indicate reconnaissance or attack activity. Set alerting thresholds on heap usage relative to baseline and GC frequency anomalies.
Why prioritize this
While the CVSS score of 6.5 (MEDIUM) reflects limited scope and no confidentiality or integrity impact, the practical availability risk in production systems warrants prompt attention. The combination of low authentication requirements, straightforward attack mechanics, and significant operational impact makes this a moderate-priority vulnerability for organizations running Spring for Apache Kafka with DelegatingDeserializer enabled. Organizations without DelegatingDeserializer can deprioritize but should confirm configuration and include this in inventory management.
Risk score, explained
CVSS 3.1 score of 6.5 (MEDIUM) reflects: Network vector (AV:N) for remote exploitability via Kafka; Low complexity (AC:L) due to straightforward crafted-header attack; Low privilege (PR:L) requirement for producer credentials; No user interaction (UI:N); High availability impact (A:H) from resource exhaustion and OutOfMemoryError. Confidentiality and integrity are not affected (C:N/I:N), limiting the score. In context, organizations dependent on uninterrupted Kafka operations may assess this as higher risk operationally than the numeric score suggests.
Frequently asked questions
Do we need to patch if we are not using DelegatingDeserializer?
No. This vulnerability only affects applications that have explicitly opted into DelegatingDeserializer functionality in their Spring for Apache Kafka configuration. Review your application configuration to confirm whether DelegatingDeserializer is enabled. If it is not in use, you are not at risk from this specific vulnerability.
Can this be exploited without valid Kafka producer credentials?
No. The attacker must authenticate as a producer to send messages to Kafka topics consumed by the target application. This limits the threat to scenarios where an attacker has compromised or been granted producer credentials, or where producer access is not adequately restricted.
What is the difference between the affected versions?
All affected versions (2.8.0–2.8.11, 2.9.0–2.9.13, 3.2.0–3.2.13, 3.3.0–3.3.15, 4.0.0–4.0.5) contain the same vulnerability. VMware will release patched versions for each major and minor release line. Identify which version your application uses and upgrade to the corresponding patched release in that line.
Could an attacker cause persistent damage or steal data with this vulnerability?
No. This vulnerability only causes memory exhaustion and availability disruption. There is no mechanism for confidentiality breach (data theft) or integrity compromise (data modification). The risk is limited to denial of service and application crashes.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch availability, vendor timelines, and remediation steps may change. Organizations should verify exact patch version numbers, compatibility, and availability directly with VMware's official security advisory before planning upgrades. SEC.co does not provide guarantee of accuracy regarding future vendor actions or patch release dates. Always test patches in non-production environments and consult your internal security and infrastructure teams before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41851MEDIUMSpring Framework SpEL Denial of Service Vulnerability
- CVE-2026-41007HIGHSpring HATEOAS Unbounded Cache Denial-of-Service Vulnerability
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-10740MEDIUMs2n-quic Memory Allocation DoS – QUIC CRYPTO Frame Reassembler
- CVE-2026-24720MEDIUMQNAP File Station 6 Resource Exhaustion Vulnerability
- CVE-2026-28237MEDIUMAMD uProf Resource Exhaustion Vulnerability – Patch Guidance
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability