CVE-2026-49361 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Fluss (incubating) versions 0.8.0 or 0.9.0 in production, particularly those with TabletServer and CoordinatorServer instances exposed to untrusted networks.

Technical summary

The vulnerability stems from an insecure default in Apache Fluss's Netty pipeline configuration. The LengthFieldBasedFrameDecoder, responsible for parsing inbound network frames, accepts Integer.MAX_VALUE as its maximum frame length boundary. An attacker can send a malicious frame header advertising a very large payload size without delivering the corresponding data, causing the decoder to pre-allocate or await excessive memory and ultimately exhaust the JVM heap. Both core server roles—TabletServer and CoordinatorServer—are affected. The issue requires no authentication, lowering the barrier to exploitation.

Defensive priority

high

Recommended defensive actions

• Upgrade Apache Fluss to version 0.9.1 or later, which addresses the Integer.MAX_VALUE frame length configuration in Netty's LengthFieldBasedFrameDecoder.
• If immediate patching is not feasible, restrict network access to TabletServer and CoordinatorServer endpoints to trusted hosts only.
• Monitor JVM heap utilization on Fluss server components for anomalous memory consumption patterns that may indicate exploitation attempts.
• Review Netty pipeline configurations in custom Fluss deployments to ensure frame size limits are enforced appropriately.

Evidence notes

The CVE description explicitly states affected versions (0.8.0, 0.9.0), fixed version (0.9.1), attack vector (unauthenticated remote), and impact (JVM heap exhaustion / DoS). Weaknesses mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).

Official resources