Medium severity6.5NVD Advisory· Published Jun 19, 2026

CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.

CVE-2026-54775

Description

Impact

A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.

Preconditions

The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Only allow authenticated writes to a topic

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

CoreWCF/Corewcfllm-fuzzy
Range: <1.8.1, <1.9.1

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000