Heap buffer overflow in libhdfs native library
Description
There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in Apache Hadoop libhdfs native code allows denial of service or arbitrary code execution via crafted file paths.
CVE-2021-37404 is a heap buffer overflow vulnerability in the native code of Apache Hadoop's libhdfs library. The root cause is the lack of validation on user-provided file paths when they are opened by the library, leading to a write beyond the allocated heap buffer [1].
An attacker can exploit this vulnerability by supplying a specially crafted file path to an application that uses the libhdfs library. No authentication is required if the attacker can invoke file opening operations, potentially through the HDFS API or other interfaces that accept user input [1].
Successful exploitation could result in a denial of service due to application crash or memory corruption, or arbitrary code execution in the context of the Hadoop process. This could allow an attacker to compromise the system running Hadoop [1].
Apache has released fixes in Hadoop versions 2.10.2, 3.2.3, and 3.3.2. Users are advised to upgrade to these or later versions to mitigate the vulnerability [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-commonMaven | >= 3.3.0, < 3.3.2 | 3.3.2 |
org.apache.hadoop:hadoop-commonMaven | >= 3.0.0, < 3.2.3 | 3.2.3 |
org.apache.hadoop:hadoop-commonMaven | < 2.10.2 | 2.10.2 |
Affected products
2- Apache Software Foundation/Apache Hadoopv5Range: 2.9.0 to 2.10.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rmpj-7c96-mrg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37404ghsaADVISORY
- lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4woghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220715-0007ghsaWEB
- security.netapp.com/advisory/ntap-20220715-0007/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.