Home

Description

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

PUBLISHED Reserved 2026-05-29 | Published 2026-06-01 | Updated 2026-06-01 | Assigner apache

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

0.8.0 (semver)
affected

0.9.0 (semver)
affected

Credits

Andrea Cosentino reporter

References

www.openwall.com/lists/oss-security/2026/05/30/5

lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373 vendor-advisory

cve.org (CVE-2026-49361)

nvd.nist.gov (CVE-2026-49361)

Download JSON