CVE-2026-35554 - Vulnerability Analysis

Overview

Apache Kafka ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1 contain a race condition in the Java producer client's buffer pool management, causing messages to be silently delivered to incorrect topics, letting attackers cause data confidentiality and integrity issues, exploit requires message batch expiration during network request.

Severity & Score

Impact

Messages can be delivered to wrong topics, exposing sensitive data and causing data corruption or processing errors.

Mitigation

Upgrade to versions 3.9.2, 4.0.2, 4.1.2, 4.2.0 or later.

References

• https://issues.apache.org/jira/browse/KAFKA-19012
• https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
• http://www.openwall.com/lists/oss-security/2026/04/07/6

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner