Hi Manikumar, The CVE seems to be still reserved and not published yet.
Best, On Tue, Apr 7, 2026 at 1:49 PM Manikumar <[email protected]> wrote: > Severity: moderate > > Affected versions: > > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 2.8.0 through 3.9.1 > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.0.0 through 4.0.1 > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.1.0 through 4.1.1 > > Description: > > A race condition in the Apache Kafka Java producer client’s buffer > pool management can cause messages to be silently delivered to > incorrect topics. > > When a produce batch expires due to delivery.timeout.ms while a > network request containing that batch is still in flight, the batch’s > ByteBuffer is prematurely deallocated and returned to the buffer pool. > If a subsequent producer batch—potentially destined for a different > topic—reuses this freed buffer before the original network request > completes, the buffer contents may become corrupted. This can result > in messages being delivered to unintended topics without any error > being reported to the producer. > > > Data Confidentiality: > Messages intended for one topic may be delivered to a different topic, > potentially exposing sensitive data to consumers who have access to > the destination topic but not the intended source topic. > > Data Integrity: > Consumers on the receiving topic may encounter unexpected or > incompatible messages, leading to deserialization failures, processing > errors, and corrupted downstream data. > > This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. > > Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or > later to address this vulnerability. > > Credit: > > Bharath Vissapragada <[email protected]> (reporter) > Donny Nadolny <[email protected]> (finder) > Donny Nadolny <[email protected]> (remediation developer) > > References: > > https://issues.apache.org/jira/browse/KAFKA-19012https://kafka.apache.org/community/cve-listhttps://www.cve.org/CVERecord?id=CVE-2026-35554 > -- [image: Aiven] <https://www.aiven.io> *Josep Prat* Sr. Engineering Director, Streaming Services, *Aiven* [email protected] | +491715557497 aiven.io <https://www.aiven.io> | <https://www.facebook.com/aivencloud> <https://www.linkedin.com/company/aiven/> <https://twitter.com/aiven_io> *Aiven Deutschland GmbH* Alexanderufer 3-7, 10117 Berlin Geschäftsführer: Oskari Saarenmaa, Kenneth Chen Amtsgericht Charlottenburg, HRB 209739 B
