Uncontrolled Resource Consumption in Apache IoTDB AirGap Receiver
CVE-2026-40007
Currently unrated
What is CVE-2026-40007?
The vulnerability in the Apache IoTDB AirGap receiver allows unauthenticated attackers to exploit the readLength method, which lacks a depth limit while processing E-language prefixes. By sending a repeated stream of these prefixes, an attacker can trigger uncontrolled recursion, leading to exhaustion of the JVM stack and a StackOverflowError. This vulnerability affects versions of Apache IoTDB from 1.0.0 to below 2.0.10. To mitigate this issue, users should upgrade to version 2.0.10 or later.
Affected Version(s)
Apache IoTDB 1.0.0 < 2.0.10