Memory Allocation with Excessive Size in Apache Thrift < 0.23.0 (CVE-2026-43868)
CVE-2026-43868 Published on May 5, 2026
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Vulnerability Analysis
CVE-2026-43868 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is a Stack Exhaustion Vulnerability?
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CVE-2026-43868 has been classified to as a Stack Exhaustion vulnerability or weakness.
Improper Validation of Specified Index, Position, or Offset in Input
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
Products Associated with CVE-2026-43868
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-43868 are published in these products:
Affected Versions
Apache Software Foundation Apache Thrift:- Before 0.23.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.