Uncontrolled Resource Consumption in Apache IoTDB AirGap Receiver
CVE-2026-40007

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
10 July 2026

What is CVE-2026-40007?

The vulnerability in the Apache IoTDB AirGap receiver allows unauthenticated attackers to exploit the readLength method, which lacks a depth limit while processing E-language prefixes. By sending a repeated stream of these prefixes, an attacker can trigger uncontrolled recursion, leading to exhaustion of the JVM stack and a StackOverflowError. This vulnerability affects versions of Apache IoTDB from 1.0.0 to below 2.0.10. To mitigate this issue, users should upgrade to version 2.0.10 or later.

Affected Version(s)

Apache IoTDB 1.0.0 < 2.0.10

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bugbunny.ai
.