PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10143 Dana Powers CVE debrief

CVE-2026-10143 is a high-severity denial-of-service vulnerability in kafka-python prior to 2.3.2. The vulnerability exists in the SCRAM authentication handling, where a malicious or machine-in-the-middle broker can supply an excessively large iteration count to freeze the client event loop. This is caused by the ScramClient.process_server_first_message() function passing the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation. The vulnerability can block producer sends, consumer polls, admin operations, and heartbeats, leading to consumer group eviction and repeated reconnect failures.

Vendor
Dana Powers
Product
kafka-python
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of kafka-python prior to version 2.3.2 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. It can be exploited by a malicious broker to cause a denial-of-service condition.

Defensive priority

High

Recommended defensive actions

  • Upgrade to kafka-python version 2.3.2 or later.
  • Refer to https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b for patch details.
  • Refer to https://github.com/dpkp/kafka-python/pull/3019 for issue tracking and patch details.
  • Refer to https://github.com/dpkp/kafka-python/pull/3026 for issue tracking and patch details.
  • Refer to https://www.vulncheck.com/advisories/kafka-python-prior-to-dos-via-scram-iteration-count-in-scram-py for additional information.

Evidence notes

The vulnerability is documented in the official CVE record [cve-org]. Additional details can be found in the NVD vulnerability database [nvd].

Official resources

Public