๐Ÿ” CVE Alert

CVE-2026-54775

MEDIUM 6.5

CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.

CVSS Score
6.5
EPSS Score
0.3%
EPSS Percentile
26th

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.

CWE CWE-248 CWE-754 CWE-755
Vendor corewcf
Product corewcf
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for corewcf corewcf

Be the first to know when new medium vulnerabilities affecting corewcf corewcf are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

CoreWCF / CoreWCF
>= 1.9.0, < 1.9.1 < 1.8.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6 github.com: https://github.com/CoreWCF/CoreWCF/commit/1a229d0d14a07766302f7d14c866889f04a3a624 github.com: https://github.com/CoreWCF/CoreWCF/commit/6d7431ebc0ebe6521ea6d0dbea8982bac3d2bc98 github.com: https://github.com/CoreWCF/CoreWCF/commit/8f95f3ac3c929409e830b5c5659683ef9f6ea6b0 github.com: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1 github.com: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1