Apache Thrift c_glib server crash (CVE-2025-48431)

Vendor-confirmed - CVE-2025-48431 is a high severity memory management flaw in Apache Thrift c_glib language bindings before 0.23.0 that enables remote attackers to crash servers with a fatal free(): invalid pointer error. Patched in version 0.23.0; all c_glib-based Thrift servers should upgrade now.

Overview

CVE-2025-48431 describes a mismatched memory management routines vulnerability in Apache Thrift’s c_glib language bindings. When the server processes a specially crafted request, it attempts to deallocate memory using an incorrect routine, leading to a heap corruption that crashes the process with a fatal but clean free(): invalid pointer error.

This is not a memory corruption that allows code execution; the impact is a reliable denial-of-service condition. The crash is deterministic and clean, meaning no memory is left in an exploitable state, but the service is knocked offline entirely.

Impact

An unauthenticated attacker can crash any Thrift server using the c_glib bindings prior to version 0.23.0 by sending a single crafted request. The crash is immediate and requires no authentication or user interaction. With a CVSS score of 7.5 (HIGH), the risk is particularly severe for internet-facing Thrift services where the attacker can reach the network port directly.

Organizations using Apache Thrift for internal microservice communication are also at risk if attackers have network access to the service mesh.

Affected Versions

All Apache Thrift versions before 0.23.0 using the c_glib language bindings are vulnerable.

Remediation

The fix is to upgrade Apache Thrift to version 0.23.0 or later, which corrects the memory management routine mismatch in the c_glib bindings.

For organizations that cannot immediately upgrade:

• Restrict network access to Thrift c_glib servers to trusted IP ranges only
• Deploy a Web Application Firewall (WAF) or API gateway that can inspect and filter malformed Thrift protocol frames
• Monitor server logs for repeated free(): invalid pointer errors, which indicate exploit attempts

Security Insight

CVE-2025-48431 is a classic example of a “clean” denial-of-service bug that can be mistaken for a simple programming error during incident response. Unlike RCE vulnerabilities that produce loud signals, a crash from mismatched free() operations can silently take down production services. Organizations running Apache Thrift c_glib bindings should treat this with the urgency of any remote, unauthenticated DoS and prioritize the upgrade, especially given the low exploitation barrier and zero privileges required.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs