This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch markdown
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/markdown by this push:
new 6cb5349ba5 Add CVE-2026-35554 to the list
6cb5349ba5 is described below
commit 6cb5349ba56b3cc02486ca566e0d4e9504aac6d7
Author: Manikumar Reddy <[email protected]>
AuthorDate: Tue Apr 7 17:31:53 2026 +0530
Add CVE-2026-35554 to the list
---
content/en/community/cve-list.md | 61 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/content/en/community/cve-list.md b/content/en/community/cve-list.md
index 228bb128bc..28d8262cd6 100644
--- a/content/en/community/cve-list.md
+++ b/content/en/community/cve-list.md
@@ -30,6 +30,67 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
This page does **not** list security advisories for dependencies of Kafka. If
your security scanner warns that there is an advisory for a dependency of
Kafka, please see [this
documentation](https://security.apache.org/report-dependency/). You can find
the current development versions of various dependencies
[here](https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle).
You can find a list of advisories that have been confirmed not to apply to
Kafka [here](https://github. [...]
+## [CVE-2026-35554](https://nvd.nist.gov/vuln/detail/CVE-2026-35554) Apache
Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool
Race Condition {#CVE-2026-35554}
+
+A race condition in the Apache Kafka Java producer client's buffer pool
management can cause messages to be silently delivered to incorrect topics.
+
+When a produce batch expires due to delivery.timeout.ms while a network
request containing that batch is still in flight, the batch's ByteBuffer is
prematurely deallocated and returned to the buffer pool. If a subsequent
producer batch—potentially destined for a different topic—reuses this freed
buffer before the original network request completes, the buffer contents may
become corrupted. This can result in messages being delivered to unintended
topics without any error being reported t [...]
+
+Data Confidentiality: Messages intended for one topic may be delivered to a
different topic, potentially exposing sensitive data to consumers who have
access to the destination topic but not the intended source topic.
+
+Data Integrity: Consumers on the receiving topic may encounter unexpected or
incompatible messages, leading to deserialization failures, processing errors,
and corrupted downstream data.
+
+Credit: Bharath Vissapragada (reporter), Donny Nadolny (finder, remediation
developer)
+
+References: [KAFKA-19012](https://issues.apache.org/jira/browse/KAFKA-19012),
[CVE-2026-35554](https://www.cve.org/CVERecord?id=CVE-2026-35554)
+
+<table>
+<tr>
+<td>
+
+Versions affected
+</td>
+<td>
+
+Apache Kafka Clients
([kafka-clients](https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients))
2.8.0 through 3.9.1, 4.0.0 through 4.0.1, 4.1.0 through 4.1.1
+</td> </tr>
+<tr>
+<td>
+
+Fixed versions
+</td>
+<td>
+
+3.9.2, 4.0.2, 4.1.2, 4.2.0
+</td> </tr>
+<tr>
+<td>
+
+Impact
+</td>
+<td>
+
+Kafka producer messages may be silently delivered to incorrect topics due to a
buffer pool race condition, potentially exposing sensitive data to unintended
consumers and causing data integrity issues.
+</td> </tr>
+<tr>
+<td>
+
+Advice
+</td>
+<td>
+
+Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to
address this vulnerability.
+</td> </tr>
+<tr>
+<td>
+
+Issue announced
+</td>
+<td>
+
+7 Apr 2026
+</td> </tr> </table>
+
## [CVE-2025-27819](https://nvd.nist.gov/vuln/detail/CVE-2025-27819) Apache
Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule
configuration {#CVE-2025-27819}
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS
JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect
API is vulnerable to this attack, the Apache Kafka brokers also have this
vulnerability. To exploit this vulnerability, the attacker needs to be able to
connect to the Kafka cluster and have the AlterConfigs permission on the
cluster resource.
