Bug 2455916 (CVE-2026-35554)

Summary: CVE-2026-35554 Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ant, aprice, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, bstansbe, caswilli, ccranfor, cescoffi, chfoley, cmah, dandread, dhanak, dkreling, dlofthou, drosa, dsimansk, ewittman, fmariani, fmongiar, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jmartisk, jnethert, jpechane, jrokos, jsamir, kaycoth, kingland, kverlaen, lthon, manderse, mnovotny, mosmerov, mstipich, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rexwhite, rgodfrey, rguimara, rkubis, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sthirugn, swoodman, tcunning, thjenkin, tqvarnst, vdosoudi, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Apache Kafka Java producer client. A race condition in the client's buffer pool management can cause messages to be silently delivered to incorrect topics. This occurs when a message batch expires while its network request is still active, leading to premature buffer deallocation and potential reuse by other messages. Consequently, sensitive data may be exposed to unauthorized consumers, and data integrity can be compromised through deserialization failures and processing errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-07 14:01:32 UTC 
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics.

When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer.


Data Confidentiality:
Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic.

Data Integrity:
Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data.

This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and  ≤ 4.1.1.

Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.
Comment 3 errata-xmlrpc 2026-05-05 07:57:02 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.14 for Quarkus 3.27

Via RHSA-2026:13631 https://access.redhat.com/errata/RHSA-2026:13631
Comment 4 errata-xmlrpc 2026-05-14 16:55:32 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14

Via RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668