CVE-2026-35554

medium Red Hat
CVSS v3 Base Score
6.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 88% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Confidentiality
High
Integrity
High
Availability
None
Published: April 7, 2026 (94 days ago)
Last Modified: April 7, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT

Description

A flaw was found in the Apache Kafka Java producer client. A race condition in the client's buffer pool management can cause messages to be silently delivered to incorrect topics. This occurs when a message batch expires while its network request is still active, leading to premature buffer deallocation and potential reuse by other messages. Consequently, sensitive data may be exposed to unauthorized consumers, and data integrity can be compromised through deserialization failures and processing errors.

CWE

CWE-367

Affected Products

OpenShift ServerlessRed Hat build of Apache Camel 4 for Quarkus 3Red Hat build of Apicurio Registry 2Red Hat build of Apicurio Registry 3Red Hat build of Debezium 2Red Hat build of Debezium 3Red Hat Data Grid 8Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat Fuse 7

Fix Status

✅ Fix Available

References