CVE-2026-49361

Published: Giu 01, 2026 Last Modified: Giu 01, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.

This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.

Users are recommended to upgrade to version 0.9.1, which fixes the issue.

400

Uncontrolled Resource Consumption

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Access Control Other
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Bypass Protection Mechanism Other
Applicable Platforms
Technologies: Not Technology-Specific, AI/ML
Likelihood of Exploit: High
View CWE Details
770

Allocation of Resources Without Limits or Throttling

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/30/5
http://www.openwall.com/lists/oss-security/2026/05/30/5
https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhs…
https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373