Cyber Posture

CVE-2026-41636

High

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0023 45.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41636 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Apache Thrift. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, directly addressing CVE-2026-41636 by requiring upgrade of vulnerable Apache Thrift Node.js bindings to version 0.23.0.

SC-5 Denial-of-service Protection good match
prevent

SC-5 implements denial-of-service protections that mitigate the high-impact availability disruption from uncontrolled recursion exploitation.

SC-6 Resource Availability partial match
prevent

SC-6 enforces controls to protect system resources from unauthorized degradation or loss due to excessive consumption triggered by the recursion vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Uncontrolled recursion vulnerability enables remote exploitation causing application crashes or resource exhaustion, directly mapping to application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Deeper analysisAI

CVE-2026-41636 is an uncontrolled recursion vulnerability (CWE-674) in the Node.js bindings of Apache Thrift, affecting versions prior to 0.23.0. Published on 2026-04-28, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to a denial of service, as the uncontrolled recursion can cause excessive resource consumption or application crashes, without impacting confidentiality or integrity.

Apache advisories recommend upgrading to version 0.23.0, which resolves the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/28/1.

Details

CWE(s)
CWE-674

Affected Products

apache
thrift
≤ 0.23.0

CVEs Like This One

CVE-2025-48431Same product: Apache Thrift
CVE-2026-41602Same product: Apache Thrift
CVE-2026-41604Same product: Apache Thrift
CVE-2026-41605Same product: Apache Thrift
CVE-2026-41603Same product: Apache Thrift
CVE-2026-42402Same vendor: Apache
CVE-2026-42403Same vendor: Apache
CVE-2025-53477Same vendor: Apache
CVE-2025-23184Same vendor: Apache
CVE-2026-29169Same vendor: Apache

References