CVE-2026-35554
Published: 07 April 2026
Summary
CVE-2026-35554 is a high-severity Race Condition (CWE-362) vulnerability in Apache Kafka (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-35554 is a race condition in the Apache Kafka Java producer client’s buffer pool management that can cause messages to be silently delivered to incorrect topics. The vulnerability occurs when a produce batch expires due to delivery.timeout.ms while its network request remains in flight, leading to premature deallocation of the batch’s ByteBuffer and its return to the buffer pool. A subsequent producer batch, potentially for a different topic, may then reuse the buffer before the original request completes, corrupting its contents and resulting in misdelivery without errors reported to the producer. It affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1, with a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) and associated CWEs CWE-362 and CWE-416.
The vulnerability enables network-based exploitation by unauthenticated attackers (PR:N), though it requires high complexity (AC:H) due to precise timing of batch expiration and buffer reuse amid in-flight requests. Successful exploitation allows attackers to cause messages intended for one topic to be delivered to another, compromising data confidentiality by exposing sensitive content to consumers authorized for the destination topic but not the source. It also disrupts data integrity, as unintended recipients may face deserialization failures, processing errors, or corrupted downstream data from incompatible messages.
Apache Kafka advisories recommend upgrading to fixed versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to resolve the issue. Additional details are documented in the Apache JIRA ticket at https://issues.apache.org/jira/browse/KAFKA-19012, the announcement mailing list at https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6, and the OSS-Security list at http://www.openwall.com/lists/oss-security/2026/04/07/6.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19631
Vulnerability details
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still…
more
in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic. Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data. This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition causes premature buffer deallocation and reuse, resulting in messages being silently delivered to incorrect topics, directly enabling transmitted data manipulation with impacts to confidentiality and integrity.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the race condition flaw in Apache Kafka producer by upgrading to fixed versions such as 3.9.2 or later.
Vulnerability scanning identifies systems running vulnerable Apache Kafka versions affected by this buffer pool race condition.
Continuous monitoring of Kafka topics and logs detects anomalous message deliveries to incorrect topics resulting from buffer reuse corruption.