Cyber Posture

CVE-2026-41605

High

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0008 23.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41605 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apache Thrift. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires identifying, prioritizing, and remediating known software flaws like the integer overflow in Apache Thrift prior to 0.23.0 by applying the vendor-recommended upgrade.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Mandates vulnerability scanning to identify systems running vulnerable versions of Apache Thrift affected by CVE-2026-41605.

SI-5 Security Alerts, Advisories, and Directives partial match
detect

Ensures receipt and dissemination of security advisories, such as the Apache announcement for CVE-2026-41605, to initiate flaw remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability in network-accessible Apache Thrift RPC framework enables remote exploitation of public-facing applications (T1190) and can be leveraged for limited denial of service via application exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Deeper analysisAI

CVE-2026-41605 is an integer overflow or wraparound vulnerability (CWE-190) in Apache Thrift, affecting all versions prior to 0.23.0. Apache Thrift is a software framework for scalable cross-language services development, commonly used for remote procedure calls (RPC) in distributed systems. The vulnerability was publicly disclosed on April 28, 2026, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation could result in limited impacts, including partial disclosure of sensitive information, minor modification of data, or limited denial of service, depending on the Thrift implementation and context in which it is deployed.

Apache advisories recommend upgrading to version 0.23.0, which addresses the issue. Detailed discussions are available in the Apache mailing list announcement at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/28/4.

Details

CWE(s)
CWE-190

Affected Products

apache
thrift
≤ 0.23.0

CVEs Like This One

CVE-2026-41602Same product: Apache Thrift
CVE-2026-41604Same product: Apache Thrift
CVE-2025-48431Same product: Apache Thrift
CVE-2026-41636Same product: Apache Thrift
CVE-2026-41603Same product: Apache Thrift
CVE-2025-66168Same vendor: Apache
CVE-2026-29168Same vendor: Apache
CVE-2026-39304Same vendor: Apache
CVE-2025-66675Same vendor: Apache
CVE-2025-58136Same vendor: Apache

References