How is CVE-2026-49361 exploited?

Network reachability (required): The attacker must reach the TabletServer or CoordinatorServer Netty listener over the network; any host with a TCP route to the service port is within scope. Authentication (not-required): No credentials or session token of any kind are needed; the vulnerable frame decoder processes incoming data before any authentication step. Victim interaction (not-required): The attack is fully remote and passive from the victim side; no user action or approval is required. Attack complexity (info): Exploit conditions are straightforward and reliable: the attacker only needs to send a crafted frame header with a large declared length, with no race condition or environmental prerequisite.

What is the impact of CVE-2026-49361?

Exhausts JVM heap memory on the targeted TabletServer or CoordinatorServer process, causing an out-of-memory crash. Takes the affected Fluss node out of service, disrupting data ingestion or cluster coordination depending on which server type is targeted. A sustained or repeated attack can keep nodes unavailable, degrading or halting the entire Fluss cluster until the process is restarted.

Back to search

HIGHCVE-2026-49361Published 2026-06-01Modified 2026-06-01CNA apache

CVE-2026-49361: Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a memory exhaustion (denial-of-service) vulnerability in Apache Fluss versions 0.8.0 and 0.9.0. The affected Netty LengthFieldBasedFrameDecoder is configured with no practical frame-size limit, so an unauthenticated attacker reachable over the network can send crafted frame headers that force the JVM to allocate heap memory until it is exhausted. Successful exploitation crashes the TabletServer or CoordinatorServer process, taking the affected Fluss node out of service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Apache publishes version 0.9.1 or an equivalent upstream fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-49361 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Apache Fluss 0.8.0 or 0.9.0. Any affected image in a connected registry or CI pipeline is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and surfaces it accordingly in the findings queue, weighted further by each customer environment's compliance policy (for example, elevated priority in production-tier namespaces). Triage routing directs the alert to the team inbox or ticketing integration configured for that environment.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically once Apache ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix version is available upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the TabletServer or CoordinatorServer Netty listener over the network; any host with a TCP route to the service port is within scope.
AuthenticationNot required
No credentials or session token of any kind are needed; the vulnerable frame decoder processes incoming data before any authentication step.
Victim interactionNot required
The attack is fully remote and passive from the victim side; no user action or approval is required.
Attack complexityDetail
Exploit conditions are straightforward and reliable: the attacker only needs to send a crafted frame header with a large declared length, with no race condition or environmental prerequisite.

Blast Radius

Exhausts JVM heap memory on the targeted TabletServer or CoordinatorServer process, causing an out-of-memory crash.
Takes the affected Fluss node out of service, disrupting data ingestion or cluster coordination depending on which server type is targeted.
A sustained or repeated attack can keep nodes unavailable, degrading or halting the entire Fluss cluster until the process is restarted.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published by Apache at this time, HarborGuard continuously re-checks the advisory on every ingest cycle. The moment an upstream fix is released, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, HarborGuard will trigger the rebuild, run regression tests, and open a PR against affected workloads automatically. In the interim, compensating controls worth considering include network-policy isolation that restricts access to Fluss server ports to known internal clients only, egress filtering to prevent lateral amplification, and placing the Fluss listener behind an authenticated proxy or load balancer to add a credential check in front of the unauthenticated frame decoder. HarborGuard will surface any images containing Apache Fluss 0.8.0 or 0.9.0 as HIGH-severity findings so they can be prioritized for those compensating controls while the upstream patch is pending.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache Fluss (incubating)
0.8.0 · 0.9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

lists.apache.org

Metrics

Get notified