PatchSiren cyber security CVE debrief
CVE-2026-41726 Spring CVE debrief
CVE-2026-41726 is a MEDIUM-severity vulnerability affecting Spring for Apache Kafka. When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. The affected versions are Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
- Vendor
- Spring
- Product
- Spring for Apache Kafka
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring for Apache Kafka, particularly those who have applications that use DelegatingDeserializer, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the lack of bounds checking on the spring.kafka.serialization.selector header values. This allows a producer to send records with unique random values, causing the consumer's heap to grow without bound.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a non-affected version of Spring for Apache Kafka.
- Avoid using DelegatingDeserializer if possible.
- Implement bounds checking on spring.kafka.serialization.selector header values.
Evidence notes
The CVE record and NVD detail pages provide additional information about this vulnerability.
Official resources
-
CVE-2026-41726 CVE record
CVE.org
-
CVE-2026-41726 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41726 was published on [2026-06-10T00:16:52.030Z](https://www.cve.org/CVERecord?id=CVE-2026-41726) and modified on [2026-06-10T19:24:04.320Z](https://nvd.nist.gov/vuln/detail/CVE-2026-41726).