PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10142 Dana Powers CVE debrief

CVE-2026-10142 is a high-severity denial-of-service vulnerability in kafka-python prior to version 2.3.2. The vulnerability allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.

Vendor
Dana Powers
Product
kafka-python
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of kafka-python prior to version 2.3.2 should update to version 2.3.2 or later to mitigate this vulnerability.

Technical summary

The vulnerability is caused by a lack of bounds validation in the protocol parser of kafka-python. Specifically, the receive_bytes() function does not validate the 4-byte frame length value sent by the broker or machine-in-the-middle attacker. This allows an attacker to send a crafted frame length that can trigger a multi-gigabyte memory allocation or an uncaught ValueError, leading to a denial-of-service condition.

Defensive priority

High

Recommended defensive actions

  • Update kafka-python to version 2.3.2 or later.
  • Implement bounds validation for the 4-byte frame length value in the protocol parser.

Evidence notes

The vulnerability is documented in the NVD database and has a CVSS score of 8.7.

Official resources

CVE-2026-10142 was published on [2026-06-10T22:16:55.350Z](https://www.cve.org/CVERecord?id=CVE-2026-10142) and modified on [2026-06-11T19:10:45.923Z](https://nvd.nist.gov/vuln/detail/CVE-2026-10142).