Memory Allocation and Authentication Flaw in Apache IoTDB
CVE-2026-40006

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
10 July 2026

What is CVE-2026-40006?

A vulnerability in Apache IoTDB allows unauthenticated attackers to exploit excessive memory allocation through the AirGap pipe receiver. When enabled, the receiver accepts raw TCP connections on port 9780 without authentication, enabling an attacker to send a 32-bit integer that dictates the amount of memory allocation. This oversight can lead to severe consequences, such as resource exhaustion or crashes of the DataNode process, as the allocation request can reach up to 2.1 billion bytes. Users are advised to upgrade to version 2.0.10 to mitigate this issue.

Affected Version(s)

Apache IoTDB 1.0.0 < 2.0.10

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bugbunny.ai
.