Kafka Producer Buffer Race Leads to Silent Topic Swapping (v3.9.1-4.1.1)
CVE-2026-35554 Published on April 7, 2026

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition
A race condition in the Apache Kafka Java producer clients buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batchs ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batchpotentially destined for a different topicreuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic. Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data. This issue affects Apache Kafka versions 3.9.1, 4.0.1, and  4.1.1. Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-35554 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Types

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2026-35554 has been classified to as a Dangling pointer vulnerability or weakness.

What is a Race Condition Vulnerability?

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CVE-2026-35554 has been classified to as a Race Condition vulnerability or weakness.


Products Associated with CVE-2026-35554

Want to know whenever a new CVE is published for Apache Kafka? stack.watch will email you.

Apache Kafka
 

Affected Versions

Apache Software Foundation Apache Kafka Clients: