Home
MEDIUM: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HDefault status
unaffected
4.0.0 (custom) before 4.0.6
affected
3.3.0 (custom) before 3.3.16
affected
3.2.0 (custom) before 3.2.14
affected
2.9.0 (custom) before 2.9.14
affected
2.8.0 (custom) before 2.8.12
affected
Description
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Problem types
CWE-770: Allocation of Resources Without Limits or Throttling
Product status
4.0.0 (custom) before 4.0.6
3.3.0 (custom) before 3.3.16
3.2.0 (custom) before 3.2.14
2.9.0 (custom) before 2.9.14
2.8.0 (custom) before 2.8.12
References
spring.io/security/cve-2026-41726