Cyber Resilience

CVE-2026-41636

HighDDoS

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41636 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Apache Thrift. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41636 is an uncontrolled recursion vulnerability (CWE-674) in the Node.js bindings of Apache Thrift, affecting versions prior to 0.23.0. Published on 2026-04-28, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to a denial of service, as the uncontrolled recursion can cause excessive resource consumption or application crashes, without impacting confidentiality or integrity.

Apache advisories recommend upgrading to version 0.23.0, which resolves the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/28/1.

EU & UK References

Vulnerability details

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Uncontrolled recursion vulnerability enables remote exploitation causing application crashes or resource exhaustion, directly mapping to application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48431Same product: Apache Thrift
CVE-2026-41602Same product: Apache Thrift
CVE-2026-41605Same product: Apache Thrift
CVE-2026-41604Same product: Apache Thrift
CVE-2026-41603Same product: Apache Thrift
CVE-2026-42402Same vendor: Apache
CVE-2026-29169Same vendor: Apache
CVE-2025-23184Same vendor: Apache
CVE-2026-49361Same vendor: Apache
CVE-2026-41284Same vendor: Apache

Affected Assets

apache
thrift
≤ 0.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly addressing CVE-2026-41636 by requiring upgrade of vulnerable Apache Thrift Node.js bindings to version 0.23.0.

prevent

SC-5 implements denial-of-service protections that mitigate the high-impact availability disruption from uncontrolled recursion exploitation.

prevent

SC-6 enforces controls to protect system resources from unauthorized degradation or loss due to excessive consumption triggered by the recursion vulnerability.

References