CVE-2026-41726

Vulnerability

Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 are affected when an application explicitly configures DelegatingDeserializer. A producer can send records with unique, random spring.kafka.serialization.selector header values, causing the consumer's heap to grow without bound [1].

Exploitation

An attacker with producer access to a Kafka topic consumed by an affected application can exploit this vulnerability. By sending records with unique and random values in the spring.kafka.serialization.selector header, the attacker can cause the consumer's heap to grow indefinitely. No user interaction or specific privileges beyond the ability to produce messages to a topic are required [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition. The unbounded growth of the consumer's heap will eventually result in garbage collection thrashing and an OutOfMemoryError, causing the application to crash or become unresponsive [1].

Mitigation

Users should upgrade to the following fixed versions: 4.0.6, 3.3.16, 3.2.14, 2.9.14, or 2.8.12, depending on the affected branch. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading [1].