HIGH 7.5

CVE-2026-49361: Apache Fluss Remote Denial of Service via Oversized Frame

Apache Fluss, a distributed stream processing engine still in incubation at the Apache Software Foundation, contains a critical flaw in how it handles network traffic. Versions 0.8.0 and 0.9.0 allow attackers on the network to send specially crafted data packets that trick the system into consuming massive amounts of memory, causing the service to crash. No authentication is required—an attacker can do this from anywhere on the network without logging in. This is a denial-of-service vulnerability that impacts both the TabletServer and CoordinatorServer components.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400, CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from Apache Fluss's use of Netty's LengthFieldBasedFrameDecoder, a network protocol decoder that parses incoming data frames. The decoder is configured with Integer.MAX_VALUE (2,147,483,647 bytes) as the maximum allowable frame length. An attacker can exploit this by sending a frame header claiming an extremely large payload size. The TabletServer and CoordinatorServer will attempt to allocate heap memory to buffer this claimed frame, but the attacker never sends the full payload. This causes the JVM to exhaust available heap memory and enter out-of-memory conditions, rendering the affected component unavailable. The root cause is inadequate frame-size validation combined with a permissive configuration that trusts client-supplied length fields without bounds checking against actual application requirements.

Business impact

Organizations running Apache Fluss in production will experience service unavailability if exploited. Because this affects both TabletServer and CoordinatorServer—core components of the Fluss cluster—an attack can disrupt real-time stream processing pipelines, cause data loss if streams are not replicated or persisted, and trigger cascade failures in dependent applications. For teams relying on Fluss for real-time analytics, fraud detection, or event processing, even brief DoS events translate to blind spots and delayed decision-making. The incubation status of Fluss means early adopters and organizations piloting stream processing architectures are most directly affected.

Affected systems

Apache Fluss versions 0.8.0 and 0.9.0 are affected. The vulnerability manifests on both TabletServer and CoordinatorServer processes within a Fluss cluster. Any deployment of these versions exposed to untrusted network traffic—particularly clusters accessible from the internet or shared networks—is at risk. Version 0.9.1 and later are not affected.

Exploitability

This vulnerability is highly exploitable. No authentication or credentials are required; an unauthenticated attacker can trigger the issue from any network vantage point with connectivity to the affected servers' ports. The exploit is trivial to execute—it requires only the ability to send a single specially crafted network frame with an oversized length declaration. No user interaction, special privileges, or complex multi-step attack chain is necessary. The CVSS 3.1 score of 7.5 (HIGH) reflects the ease of exploitation and the high impact of denial of service, though confidentiality and integrity are not compromised.

Remediation

Upgrade to Apache Fluss version 0.9.1 or later, which corrects the frame decoder configuration and enforces reasonable bounds on frame lengths. Prior to patching, network-level mitigations such as firewall rules limiting access to Fluss ports (TabletServer and CoordinatorServer listening addresses) to trusted networks only can reduce exposure. Rate-limiting or connection-limiting rules may also provide temporary protection, though they do not eliminate the vulnerability.

Patch guidance

Apply the upgrade to version 0.9.1 as soon as feasible. The patch is a point release and should be tested in a staging environment first to confirm compatibility with your streaming workloads and topology. If your Fluss cluster is running in a containerized or Kubernetes environment, update the image version and perform a rolling restart of cluster nodes to minimize disruption. Verify that both TabletServer and CoordinatorServer processes restart successfully and rejoin the cluster before returning to full traffic.

Detection guidance

Monitor JVM heap usage on TabletServer and CoordinatorServer instances for sudden spikes or sustained high memory consumption without corresponding increases in valid data volume. Check application logs for out-of-memory errors or repeated garbage collection pauses. Network intrusion detection systems can be tuned to flag frames with suspiciously large length fields sent to Fluss ports. Correlate network traffic patterns with heap memory metrics; legitimate Fluss traffic should exhibit a known baseline of frame sizes tied to your topic partition sizes and batch configurations. Anomalous frames claiming gigabyte-scale payloads are strong indicators of exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention because it allows unauthenticated remote denial of service with trivial exploitation. Organizations running Fluss 0.8.0 or 0.9.0 should treat this as a critical availability risk. The combination of zero authentication requirement, low attack complexity, and direct impact on core cluster components justifies rapid remediation. Even though Fluss is in incubation and may not be running in all environments, any production deployment is vulnerable.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects: a network vector (AV:N) requiring no special access, low attack complexity (AC:L) with trivial exploitation, no authentication (PR:N), scope unchanged (S:U), no confidentiality impact (C:N), no integrity impact (I:N), but high availability impact (A:H) due to guaranteed denial of service. This scoring correctly emphasizes the severity of unauthenticated remote DoS; the primary concern is operational continuity rather than data breach.

Frequently asked questions

Is this vulnerability in the Apache Fluss CVSS Known Exploited Vulnerabilities (KEV) catalog?

No, this vulnerability is not currently listed in the CISA KEV catalog. However, lack of KEV status does not diminish the urgency of patching; it reflects that mass exploitation or weaponized proof-of-concept code has not yet been widely observed, not that the vulnerability is less serious.

We use Fluss in a private data center behind a firewall. Is our cluster still at risk?

Risk is reduced but not eliminated if your Fluss ports are restricted to trusted internal networks. However, insider threats and compromised internal systems can still exploit this vulnerability. Patching to 0.9.1 is still recommended as a defense-in-depth measure, even if network access controls are in place.

Can I apply a temporary workaround without upgrading?

There is no complete workaround without patching. Restricting network access to Fluss cluster ports to only known, trusted sources and implementing network-level rate-limiting may provide temporary friction, but they do not fix the underlying frame decoder misconfiguration. Upgrade to 0.9.1 as soon as your change control and testing processes permit.

Does this vulnerability allow data exfiltration or corruption?

No. This vulnerability is strictly a denial-of-service attack. It does not compromise data confidentiality or integrity; it exhausts memory and crashes components. Existing data is not exposed or modified, but stream processing is interrupted until the affected servers recover or are restarted.

This analysis is provided for informational purposes and reflects the vulnerability data available as of the publication date. SEC.co does not guarantee the completeness or accuracy of patch version information; always verify against the official Apache Fluss security advisory and release notes. Organizations should conduct their own risk assessment and testing before applying patches. This document does not constitute legal or compliance advice. Consult your organization's security policies and vendor documentation for authoritative guidance on remediation timelines and procedures. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).