How is CVE-2026-10142 exploited?

Network reachability (required): The attacker must reach the kafka-python client over the network, either as a reachable broker endpoint or as a machine-in-the-middle on the same network path. Authentication (not-required): No credentials are needed; the malicious frame can be sent without any prior authentication handshake. Victim interaction (not-required): No user or operator action is required; the client processes incoming broker frames automatically. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to deliver a crafted 4-byte frame length value to the receive_bytes() function.

What is the impact of CVE-2026-10142?

The affected process exhausts available memory by attempting to allocate a multi-gigabyte buffer based on the attacker-controlled frame length value. Alternatively, an uncaught ValueError leaves the connection in a permanently broken state without freeing resources. Kafka consumers stop sending heartbeats to the broker, causing partition rebalances and message-processing stalls across the consumer group. The affected client process must be restarted to recover, interrupting any workload that depends on continuous Kafka consumption or production.

Back to search

HIGHCVE-2026-10142Published 2026-06-10Modified 2026-06-11CNA VulnCheck

CVE-2026-10142: kafka-python prior to 2.3.2 Denial of Service via Protocol Parser Frame Length

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2.3.2
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the kafka-python protocol parser, affecting all versions before 2.3.2. An unauthenticated attacker reachable over the network, or a machine-in-the-middle positioned between the client and broker, can send a crafted 4-byte frame length value that triggers either a multi-gigabyte memory allocation or an uncaught ValueError, hanging connections and stopping consumer heartbeats until the process is restarted. A patched-image rebuild at version 2.3.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle kafka-python as a dependency.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 HIGH (v4.0) and is capable of applying per-environment compliance policy weighting before routing the alert to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to kafka-python 2.3.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the kafka-python client over the network, either as a reachable broker endpoint or as a machine-in-the-middle on the same network path.
AuthenticationNot required
No credentials are needed; the malicious frame can be sent without any prior authentication handshake.
Victim interactionNot required
No user or operator action is required; the client processes incoming broker frames automatically.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to deliver a crafted 4-byte frame length value to the receive_bytes() function.

Blast Radius

The affected process exhausts available memory by attempting to allocate a multi-gigabyte buffer based on the attacker-controlled frame length value.
Alternatively, an uncaught ValueError leaves the connection in a permanently broken state without freeing resources.
Kafka consumers stop sending heartbeats to the broker, causing partition rebalances and message-processing stalls across the consumer group.
The affected client process must be restarted to recover, interrupting any workload that depends on continuous Kafka consumption or production.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10142 is active across all scanning pipelines, matching images that include kafka-python below version 2.3.2. A patched-image rebuild at version 2.3.2 is available the moment an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and policy context attached so triage can begin immediately.

See how HarborGuard automates this

Fix available

2.3.2

Patch commits

github.com

Affected packages

Dana Powers / kafka-python
< 2.3.2 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available