PatchSiren cyber security CVE debrief
CVE-2026-40006 Apache Software Foundation CVE debrief
CVE-2026-40006 is a high-severity vulnerability in Apache IoTDB, affecting versions from 1.0.0 before 2.0.10. The vulnerability allows unauthenticated attackers to cause a denial of service by exhausting heap memory through a specially crafted TCP connection. This issue arises when pipe_air_gap_receiver_enabled=true, allowing the IoTDB AirGap pipe receiver to accept raw TCP connections on port 9780 with no authentication.
- Vendor
- Apache Software Foundation
- Product
- Apache IoTDB
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Apache IoTDB, particularly those using versions between 1.0.0 and 2.0.10, should be aware of this vulnerability and take steps to mitigate it. Operators, security teams, and platform administrators should review the vulnerability and implement necessary controls to prevent exploitation.
Technical summary
The vulnerability is caused by the IoTDB AirGap pipe receiver accepting raw TCP connections on port 9780 with no authentication when pipe_air_gap_receiver_enabled=true. An attacker can send a specially crafted 32-bit integer that is used to allocate memory, potentially exhausting heap memory and causing a denial of service. The readLength method reads an attacker-controlled 32-bit integer from the socket and readData passes it directly to new byte[length] with no upper-bound check.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 2.0.10 or later
- Disable the IoTDB AirGap pipe receiver if not needed
- Implement authentication for TCP connections on port 9780
- Monitor heap memory usage and system performance
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T08:16:22.163Z and last modified on 2026-07-10T16:16:29.893Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify IoTDB versions and upgrade or mitigate as needed.
Official resources
-
CVE-2026-40006 CVE record
CVE.org
-
CVE-2026-40006 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T08:16:22.163Z and has not been modified since then. The NVD entry is currently Deferred.