CVE-2026-49361

HIGH 7.5

Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

CVSS Score

7.5

EPSS Score

0.1%

EPSS Percentile

17th

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

CWE	CWE-770 CWE-400
Vendor	apache software foundation
Product	apache fluss (incubating)
Published	Jun 1, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache fluss (incubating)

Be the first to know when new high vulnerabilities affecting apache software foundation apache fluss (incubating) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Fluss (incubating)

0.8.0 0.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/30/5

Credits

🔍 Andrea Cosentino