Cyber Resilience

CVE-2026-35554

High

Published: 07 April 2026

Published
07 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0033 24.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35554 is a high-severity Race Condition (CWE-362) vulnerability in Apache Kafka (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-35554 is a race condition in the Apache Kafka Java producer client’s buffer pool management that can cause messages to be silently delivered to incorrect topics. The vulnerability occurs when a produce batch expires due to delivery.timeout.ms while its network request remains in flight, leading to premature deallocation of the batch’s ByteBuffer and its return to the buffer pool. A subsequent producer batch, potentially for a different topic, may then reuse the buffer before the original request completes, corrupting its contents and resulting in misdelivery without errors reported to the producer. It affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1, with a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) and associated CWEs CWE-362 and CWE-416.

The vulnerability enables network-based exploitation by unauthenticated attackers (PR:N), though it requires high complexity (AC:H) due to precise timing of batch expiration and buffer reuse amid in-flight requests. Successful exploitation allows attackers to cause messages intended for one topic to be delivered to another, compromising data confidentiality by exposing sensitive content to consumers authorized for the destination topic but not the source. It also disrupts data integrity, as unintended recipients may face deserialization failures, processing errors, or corrupted downstream data from incompatible messages.

Apache Kafka advisories recommend upgrading to fixed versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to resolve the issue. Additional details are documented in the Apache JIRA ticket at https://issues.apache.org/jira/browse/KAFKA-19012, the announcement mailing list at https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6, and the OSS-Security list at http://www.openwall.com/lists/oss-security/2026/04/07/6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still…

more

in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic. Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data. This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Race condition causes premature buffer deallocation and reuse, resulting in messages being silently delivered to incorrect topics, directly enabling transmitted data manipulation with impacts to confidentiality and integrity.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20877Shared CWE-362, CWE-416
CVE-2026-26181Shared CWE-362, CWE-416
CVE-2026-32158Shared CWE-362, CWE-416
CVE-2026-26172Shared CWE-362, CWE-416
CVE-2026-4684Shared CWE-362, CWE-416
CVE-2026-32090Shared CWE-362, CWE-416
CVE-2026-20924Shared CWE-362, CWE-416
CVE-2026-5947Shared CWE-362, CWE-416
CVE-2026-32165Shared CWE-362, CWE-416
CVE-2025-50177Shared CWE-362, CWE-416

Affected Assets

Apache
Kafka
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the race condition flaw in Apache Kafka producer by upgrading to fixed versions such as 3.9.2 or later.

detect

Vulnerability scanning identifies systems running vulnerable Apache Kafka versions affected by this buffer pool race condition.

detect

Continuous monitoring of Kafka topics and logs detects anomalous message deliveries to incorrect topics resulting from buffer reuse corruption.

References