CVE-2026-35554

Information Exposure
Affects
Apache Kafka
in
NES for Apache Kafka
No items found.
Versions
>=2.8.0 <3.9.2, >=4.0.0 <4.0.2, >=4.1.0 <4.1.2

Overview

Apache Kafka is an open-source distributed event-streaming platform used for high-throughput, fault-tolerant data pipelines, messaging, and stream processing. Its Java client library (kafka-clients) provides the producer, consumer, and admin APIs that applications use to communicate with a Kafka cluster.

A vulnerability (CVE-2026-35554) has been identified in the kafka-clients producer, where a race condition in buffer-pool management can cause messages to be silently delivered to the wrong topic. When a record batch expires while it is being sent over the network, the producer can prematurely return the batch's backing ByteBuffer to the buffer pool. A subsequent batch may then reuse that same buffer and overwrite its contents, so data intended for one topic can be transmitted to a different topic. The result is both a loss of data integrity and the exposure of message contents to consumers of an unintended topic.

Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

This issue affects multiple versions of Apache Kafka, from 2.8.0 up to but not including 3.9.2, from 4.0.0 up to but not including 4.0.2, and from 4.1.0 up to but not including 4.1.2.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the kafka-clients package in multiple versions of Apache Kafka. The producer client manages outbound record batches with a pooled set of ByteBuffer objects. When a batch expires during network transmission, the buffer that backs it can be deallocated and returned to the pool before the in-flight send has fully released it. Because the buffer is then handed out to a later batch and rewritten, the use-after-free condition lets one batch's data be carried in the network request of another, so records can be sent to a topic other than the one the application targeted. The defect is a concurrency race between batch expiry and buffer reuse, and exploitation does not require attacker input; it can occur under normal load whenever batches expire while being sent. The consequence is silent cross-topic data corruption together with disclosure of the misrouted message contents to any client subscribed to the unintended topic.

This vulnerability has been present since at least Apache Kafka 2.8.0.

Mitigation

Only recent versions of Apache Kafka are community-supported. The affected 3.1.x line is End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 3.1.x line; NES for Apache Kafka is the remedy for that line.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Kafka to a currently supported release that contains the fix, such as 3.9.2
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Donny Nadolny (finder)
  • Bharath Vissapragada (finder)
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-35554
PROJECT Affected
Apache Kafka
Versions Affected
>=2.8.0 <3.9.2, >=4.0.0 <4.0.2, >=4.1.0 <4.1.2
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Kafka
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.