2487704 – (CVE-2026-10142) CVE-2026-10142 kafka-python: kafka-python: Denial of Service due to crafted frame length in protocol parser

Bug 2487704 (CVE-2026-10142) - CVE-2026-10142 kafka-python: kafka-python: Denial of Service due to crafted frame length in protocol parser

Summary: CVE-2026-10142 kafka-python: kafka-python: Denial of Service due to crafted f...

Keywords:
Status:	NEW
Alias:	CVE-2026-10142
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-10 21:01 UTC by OSIDB Bzimport
Modified:	2026-06-12 14:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-10 21:01:34 UTC

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.

Note You need to log in before you can comment on or make changes to this bug.