Vmware Spring for Apache Kafka up to 4.0.5 DelegatingDeserializer allocation of resources

Summaryinfo

A vulnerability was found in Vmware Spring for Apache Kafka up to 2.8.11/2.9.13/3.2.13/3.3.15/4.0.5. It has been rated as problematic. This impacts an unknown function of the component DelegatingDeserializer. This manipulation causes allocation of resources. This vulnerability is tracked as CVE-2026-41726. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as problematic was found in Vmware Spring for Apache Kafka up to 2.8.11/2.9.13/3.2.13/3.3.15/4.0.5. Affected by this vulnerability is an unknown function of the component DelegatingDeserializer. The manipulation with an unknown input leads to a allocation of resources vulnerability. The CWE definition for the vulnerability is CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. As an impact it is known to affect availability. The summary by CVE is:

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

It is possible to read the advisory at spring.io. This vulnerability is known as CVE-2026-41726 since 04/22/2026. The exploitation appears to be easy. The attack can be launched remotely. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/10/2026). The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

Upgrading to version 2.8.12, 2.9.14, 3.2.14, 3.3.16 or 4.0.6 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Vmware

Name

• Spring for Apache Kafka

Version

• 2.8.0
• 2.8.1
• 2.8.2
• 2.8.3
• 2.8.4
• 2.8.5
• 2.8.6
• 2.8.7
• 2.8.8
• 2.8.9
• 2.8.10
• 2.8.11
• 2.9.0
• 2.9.1
• 2.9.2
• 2.9.3
• 2.9.4
• 2.9.5
• 2.9.6
• 2.9.7
• 2.9.8
• 2.9.9
• 2.9.10
• 2.9.11
• 2.9.12
• 2.9.13
• 3.2.0
• 3.2.1
• 3.2.2
• 3.2.3
• 3.2.4
• 3.2.5
• 3.2.6
• 3.2.7
• 3.2.8
• 3.2.9
• 3.2.10
• 3.2.11
• 3.2.12
• 3.2.13
• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4
• 3.3.5
• 3.3.6
• 3.3.7
• 3.3.8
• 3.3.9
• 3.3.10
• 3.3.11
• 3.3.12
• 3.3.13
• 3.3.14
• 3.3.15
• 4.0.0
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.0.5

License

• commercial

Website

• Vendor: https://www.vmware.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion