CVE-2026-41726: Heap Growth Vulnerability in Spring for Apache Kafka
Severity: Medium (Score: 57.1)
Sources: spring.io, nvd.nist.gov, Thehackerwire, www.cvedetails.com
Published: · Updated:
Keywords: application, opts, into, delegatingdeserializer, producer, grow, consumer
Summary
CVE-2026-41726 was published on June 9, 2026, detailing a vulnerability in Spring for Apache Kafka. When applications use DelegatingDeserializer, producers can send records with unique random header values, leading to unbounded heap growth, GC thrashing, and potential OutOfMemoryError. Affected versions include Spring for Apache Kafka 4.0.0 to 4.0.5, 3.3.0 to 3.3.15, 3.2.0 to 3.2.13, 2.9.0 to 2.9.13, and 2.8.0 to 2.8.11. Users of these versions are advised to upgrade to fixed versions as no further mitigation steps are necessary. The vulnerability was discovered internally, and only deployments that explicitly configured DelegatingDeserializer are affected. This issue impacts users who have not yet upgraded to the corresponding fixed versions. Key Points: • CVE-2026-41726 allows heap growth leading to OutOfMemoryError in specific Spring versions. • Affected versions include Spring for Apache Kafka 4.0.0 to 4.0.5 and earlier versions. • Users are urged to upgrade to fixed versions as no additional mitigation is available.
Detailed Analysis
**Impact** Applications using Spring for Apache Kafka that have explicitly enabled the DelegatingDeserializer feature are affected. The vulnerability allows a producer to cause unbounded heap growth on the consumer side, leading to garbage collection thrashing and OutOfMemoryError conditions. This can result in application crashes and service disruptions, impacting any sector relying on Kafka messaging with affected Spring versions, including versions 2.8.0 through 2.9.13, 3.2.0 through 3.3.15, and 4.0.0 through 4.0.5. No specific geographic or sectoral data is provided. **Technical Details** The attack vector involves a malicious producer sending Kafka records with unique, random `spring.kafka.serialization.selector` header values to consumers configured with DelegatingDeserializer. This causes uncontrolled heap growth in the consumer JVM, leading to GC thrashing and eventual OutOfMemoryError. The vulnerability is tracked as CVE-2026-41726. No malware or additional infrastructure details or IOCs are provided in the source articles. **Recommended Response** Affected users should upgrade to the fixed versions of Spring for Apache Kafka as soon as possible. No additional mitigation steps are necessary beyond applying the patch. Monitoring for unusual heap growth or GC thrashing on Kafka consumer applications configured with DelegatingDeserializer is advised until the update is applied. No specific detection signatures or indicators were provided.
Source articles (4)
- CVE-2026-41726 - Medium Vulnerability — Thehackerwire · 2026-06-10
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eve… - Cve 2026 41726 — spring.io · 2026-06-10
When an application opts into DelegatingDeserializer , a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, ev… - NVD Official Record — nvd.nist.gov · 2026-06-10
This CVE record has recently been published to the CVE List and has been included within the NVD dataset. When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap… - CVE Details Statistics — www.cvedetails.com · 2026-06-10
Timeline
- 2026-06-09 — CVE-2026-41726 published: The vulnerability in Spring for Apache Kafka was officially disclosed, affecting multiple versions.
- 2026-06-10 — Security advisory released: Spring.io and The Hacker Wire reported on the vulnerability, urging users to upgrade affected versions.
CVEs
Related entities
- Cwe-400 - Uncontrolled Resource Consumption (Cwe)
- Apache Tomcat (Platform)
- OpenJDK (Platform)
- Spring For Apache Kafka (Platform)