Cyber Resilience

CVE-2026-41604

HighUpdated

Published: 28 April 2026

Published
28 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0095 57.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41604 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Apache Thrift. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41604 is an out-of-bounds read vulnerability (CWE-125) in Apache Thrift, a cross-language software framework for scalable services communication. The issue affects all versions of Apache Thrift prior to 0.23.0, potentially allowing attackers to read data beyond the boundaries of allocated buffers during processing of malformed inputs.

The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges, user interaction, or scope changes. Remote attackers can trigger the flaw by sending crafted Thrift protocol messages to affected services, resulting in limited information disclosure from memory alongside high-impact availability disruption, such as server crashes or denial of service.

Apache advisories recommend upgrading to Apache Thrift version 0.23.0, which addresses the vulnerability. Additional details are available in the official Apache announcement at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/28/5.

EU & UK References

Vulnerability details

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing Thrift services via crafted protocol messages enables initial access (T1190) and application DoS (T1499.004) through out-of-bounds reads causing crashes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41605Same product: Apache Thrift
CVE-2026-41602Same product: Apache Thrift
CVE-2026-41636Same product: Apache Thrift
CVE-2025-48431Same product: Apache Thrift
CVE-2026-41603Same product: Apache Thrift
CVE-2026-29168Same vendor: Apache
CVE-2026-39304Same vendor: Apache
CVE-2025-58136Same vendor: Apache
CVE-2025-66675Same vendor: Apache
CVE-2026-46586Same vendor: Apache

Affected Assets

apache
thrift
≤ 0.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely patching and remediation of known software flaws like the out-of-bounds read vulnerability in Apache Thrift versions prior to 0.23.0.

prevent

Implements memory protection mechanisms that directly mitigate out-of-bounds reads by preventing unauthorized access to memory beyond allocated buffers.

prevent

Requires validation of information inputs such as crafted Thrift protocol messages to block malformed data that triggers the out-of-bounds read.

References