CVE-2026-49361 in Flussinfo

Zusammenfassung

von MITRE • 01.06.2026

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.

This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.

Users are recommended to upgrade to version 0.9.1, which fixes the issue.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Veröffentlichung

01.06.2026

Moderieren

akzeptiert

Eintrag

VDB-367622

CPE

bereit

CWE

CWE-789 (bestätigt)

CVSS

4.3 (VulDB)

EPSS

0.00154

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-49361
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-49361
CVE Details	https://www.cvedetails.com/cve/CVE-2026-49361/

◂ Zurück Übersicht Weiter ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!