CVE-2026-40007 in IoTDBinfo

Summary

by MITRE • 07/10/2026

Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticated attacker can send a stream of repeated E-language prefixes that drives the recursion arbitrarily deep, exhausting the receiver thread's JVM stack and raising StackOverflowError.


This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical uncontrolled recursion flaw in Apache IoTDB's AirGap receiver functionality that can lead to denial of service conditions and system instability. This issue specifically manifests when the pipe_air_gap_receiver_enabled configuration parameter is set to true, activating the air gap receiver component that processes socket data streams. The technical implementation contains a fundamental design flaw where the readLength method exhibits recursive behavior without any depth or iteration limits when processing E-language prefixes within incoming socket data. This recursive call pattern creates an infinite loop scenario that can be easily exploited by unauthenticated attackers who simply need to transmit a stream of repeated E-language prefixes to trigger the vulnerability.

The operational impact of this vulnerability is severe and directly relates to resource exhaustion at the JVM thread level. When an attacker successfully triggers this recursion, each method call consumes stack space within the receiver thread's JVM stack allocation. As the recursive calls accumulate without bounds, they eventually consume all available stack memory for that specific thread, resulting in a StackOverflowError exception that terminates the thread and potentially destabilizes the entire IoTDB service. The vulnerability affects all versions of Apache IoTDB from 1.0.0 through 2.0.9, creating an extended window of exposure where systems remain vulnerable to this type of denial of service attack.

From a cybersecurity perspective, this vulnerability aligns with CWE-674 (Uncontrolled Recursion) and represents a classic example of resource exhaustion through recursive method calls that lack proper termination conditions. The attack vector is particularly concerning because it requires no authentication credentials, making it accessible to any external party with network connectivity to the affected IoTDB service. According to ATT&CK framework categorization, this vulnerability maps to T1499.004 (Endpoint Denial of Service) and potentially T1566.002 (Phishing via Social Engineering) if attackers use it as part of broader attack chains. The flaw demonstrates poor input validation and inadequate defensive programming practices in the socket data processing pipeline, where the system fails to implement proper recursion depth checking or stack usage monitoring.

The recommended mitigation strategy involves upgrading to Apache IoTDB version 2.0.10, which includes fixes that properly limit recursive calls within the readLength method. This upgrade addresses the root cause by implementing appropriate recursion depth controls and memory management protections. Organizations should also consider implementing network-level restrictions and monitoring for unusual patterns of E-language prefix sequences in their IoTDB deployments. Additional defensive measures may include configuring proper resource limits on JVM thread stacks, implementing rate limiting for socket data streams, and establishing alerting mechanisms to detect potential exploitation attempts. The vulnerability serves as a reminder of the importance of proper input validation and defensive programming techniques in distributed systems handling real-time data streams, particularly in IoT environments where service availability is critical for operational continuity.

Responsible

Apache

Reservation

04/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!