Race Condition in Apache Kafka Java Producer Client Buffer Management
CVE-2026-35554

8.7HIGH

Key Information:

Vendor: Apache
Status: Apache Kafka Clients
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35554?

A race condition in the buffer management system of the Apache Kafka Java producer client can lead to messages being mistakenly delivered to incorrect topics. This occurs when a produce batch's delivery timeout is reached while the corresponding network request is still in progress. If the batch's ByteBuffer is deallocated and reused for a subsequent batch intended for a different topic prior to the original request's completion, the message contents may be corrupted. This vulnerability poses risks to data confidentiality, allowing sensitive data to be exposed to unauthorized consumers, and may also compromise data integrity by causing deserialization failures and processing errors in the receiving topic.

Affected Version(s)

Apache Kafka Clients 2.8.0 <= 3.9.1

Apache Kafka Clients 4.0.0 <= 4.0.1

Apache Kafka Clients 4.1.0 <= 4.1.1

References

https://issues.apache.org/jira/browse/KAFKA-19012

issue-tracking

https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm...

mailing-listvendor-advisory

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Bharath Vissapragada <bharathv@apache.org>

Donny Nadolny <donny.nadolny@hotmail.com>

CVE-2026-35554 Data

JSON