CVE-2026-49361

HIGH

Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Title source: cna

Description

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/30/5

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373

Scores

CVSS v3 7.5

EPSS 0.0101

EPSS Percentile 58.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-770

Status published

Products (3)

apache/fluss 0.8.0 - 0.9.1

Apache Software Foundation/Apache Fluss (incubating) 0.8.0

Apache Software Foundation/Apache Fluss (incubating) 0.9.0

Published Jun 01, 2026

Tracked Since Jun 01, 2026