CVE-2026-35554

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 3.9.1 and earlier, 4.0.1 and earlier, and 4.1.1 and earlier

Description A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted, resulting in messages being delivered to unintended topics without any error being reported to the producer. This can lead to data confidentiality and integrity issues, where messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data, and consumers may encounter unexpected or incompatible messages.

Recommendations Upgrade to version 3.9.2 or later. Upgrade to version 4.0.2 or later. Upgrade to version 4.1.2 or later. Upgrade to version 4.2.0 or later.