CVE-2026-49361
Last modified
CVE-2026-49361 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.. EPSS estimates a 0.58% chance of exploitation in the next 30 days.
Description
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Fluss | >= 0.8.0, < 0.9.1 |
References
- https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/30/5Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-49361?
How severe is CVE-2026-49361?
How do I fix CVE-2026-49361?
Are you affected by CVE-2026-49361?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST