Apache Thrift integer overflow crash (CVE-2026-41602)

Vendor-confirmed - CVE-2026-41602 is a high-severity integer overflow flaw in Apache Thrift’s Go TFramedTransport implementation (before 0.23.0) that lets remote attackers crash services without authentication. Patched in version 0.23.0 - upgrade to prevent denial-of-service conditions.

Overview

CVE-2026-41602 is a critical vulnerability in the Apache Thrift framework’s Go language library, specifically within the TFramedTransport component. TFramedTransport is a framing layer used in Thrift applications to delimit message boundaries over network connections. The vulnerability arises from an integer overflow or wraparound condition in the frame size processing logic.

When a Thrift service running on a Go server processes incoming messages through TFramedTransport, it parses a 32-bit frame size field from the network data. Because the implementation fails to properly validate the frame size before using it for memory allocation or buffer operations, an attacker can send a crafted frame with a specially oversized length value. This causes the integer to wrap around to a small number, leading the transport layer to allocate an undersized buffer. As the server reads the rest of the frame data into this buffer, it overflows the allocated memory, corrupting adjacent heap memory and triggering a crash.

The vulnerability is remotely exploitable over the network without authentication (CVSS Attack Vector: NETWORK; Privileges Required: NONE). The attack complexity is low, meaning a determined attacker with network access to a vulnerable Thrift endpoint can reliably cause service disruption. No user interaction is required. While the impact is limited to denial of service (not remote code execution), the ease of exploitation and the widespread use of Apache Thrift in microservices and backend infrastructure raise the risk profile. EPSS data currently shows a 0.0% probability of exploitation in the next 30 days, indicating this is not yet actively targeted.

Affected Products and Versions

• Apache Thrift: versions 0.13.0 through 0.22.0 (Go language bindings with TFramedTransport)
• The vulnerability does not affect Thrift libraries in other languages (C++, Java, Python, etc.), nor does it affect non-Go Thrift services.

Remediation

The vendor has released Apache Thrift version 0.23.0, which corrects the integer overflow by adding proper bounds checking on the frame size field before memory allocation. Users should upgrade their Go Thrift dependency to 0.23.0 or later.

Mitigation Options

If immediate upgrade is not possible, consider these temporary workarounds:

• Disable TFramedTransport in your Thrift configuration and use TBufferedTransport or a custom framing layer instead.
• Implement network-layer rate limiting and anomaly detection to drop excessively large frame sizes.
• Deploy a Web Application Firewall (WAF) or API gateway that can inspect and reject malformed Thrift frames.
• Restrict network access to Thrift endpoints to trusted IP ranges or internal networks only.

Security Insight

This vulnerability reflects a recurring pattern in network protocol libraries: integer arithmetic in framing parsers remains a blind spot even in mature projects like Apache Thrift. The Go-specific nature of this flaw also highlights a broader risk — translated or language-specific ports of core infrastructure libraries often miss security hardening applied in the reference implementation. Organizations running Thrift in Go microservices should review their dependency chains for similar integer-handling gaps, particularly in transport-layer code that serializes and deserializes message boundaries.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs