CVE-2026-40006 in IoTDBinfo

Summary

by MITRE • 07/10/2026

Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver accepts raw TCP connections on port 9780 with no authentication. The readLength method reads an attacker-controlled 32-bit integer from the socket and readData passes it directly to new byte[length] with no
upper-bound check. An unauthenticated attacker can cause the JVM to attempt an allocation of up to 2,147,483,647 bytes per connection, exhausting heap memory and crashing or severely degrading the DataNode process.


This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical memory allocation flaw in Apache IoTDB that combines multiple security weaknesses to enable remote memory exhaustion attacks. This issue manifests through a combination of improper resource management and authentication bypass mechanisms that together create a severe operational risk for affected systems. The vulnerability specifically impacts versions 1.0.0 through 2.0.9, where the AirGap pipe receiver functionality contains a fundamental design flaw that exposes the system to denial of service attacks through excessive memory allocation.

The technical root cause stems from the readLength method in the IoTDB AirGap receiver implementation which processes attacker-controlled data without proper validation or bounds checking. When the pipe_air_gap_receiver_enabled configuration parameter is set to true, the system listens on TCP port 9780 and accepts raw connections without requiring any authentication. This creates an attack surface where unauthorized parties can directly interact with the memory allocation mechanism. The method reads a 32-bit integer from the network socket that represents the desired data length for allocation, but this value passes directly to new byte[length] construction without any upper-bound validation or size limiting. This pattern aligns with CWE-129, which addresses issues related to insufficient bounds checking of input values, and CWE-130, which covers improper handling of length parameters in memory operations.

The operational impact of this vulnerability is severe and directly threatens system availability through heap memory exhaustion attacks. An unauthenticated attacker can cause the Java Virtual Machine to attempt allocating up to 2,147,483,647 bytes per connection, which represents nearly 2 gigabytes of memory allocation per single malicious connection. This massive allocation attempt will quickly deplete available heap memory resources on the DataNode process, leading to JVM crashes or severe performance degradation that effectively renders the system unavailable. The lack of authentication for this critical function means that any network entity can exploit this vulnerability without requiring legitimate credentials, making it particularly dangerous in exposed environments. According to ATT&CK framework, this vulnerability maps to T1499.004 (Network Denial of Service) and T1566.002 (Phishing via Social Engineering) as attackers can leverage the lack of authentication to gain unauthorized access and execute resource exhaustion attacks.

The vulnerability pattern demonstrates poor resource management practices that violate fundamental security principles for handling untrusted input data. The absence of proper size validation creates a direct path from network input to system resource allocation, bypassing all normal safeguards that should prevent such massive allocations. This type of flaw is particularly dangerous in IoT environments where systems may have limited resources and cannot easily recover from memory exhaustion attacks. The combination of missing authentication for critical functions with unlimited resource allocation creates a perfect storm for denial of service conditions that can be easily exploited by attackers with minimal technical expertise.

Organizations running affected Apache IoTDB versions should immediately implement the recommended upgrade to version 2.0.10 which contains proper bounds checking and authentication mechanisms for the AirGap pipe receiver functionality. Additional mitigations may include network-level restrictions that prevent external access to port 9780, firewall rules that limit connections to trusted sources only, and monitoring systems that can detect unusual memory allocation patterns or connection spikes. Security teams should also consider implementing intrusion detection systems that can identify attempts to exploit this specific vulnerability pattern through anomalous TCP connection behavior or memory allocation requests that exceed normal operational thresholds. The fix implemented in version 2.0.10 addresses both the authentication bypass issue and the resource allocation without limits by introducing proper validation checks and mandatory authentication requirements for critical system functions.

Responsible

Apache

Reservation

04/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!