Apache Thrift OOB read leaks data (CVE-2026-41604)

Vendor-confirmed - CVE-2026-41604 is a high out-of-bounds read vulnerability in Apache Thrift versions before 0.23.0 that lets unauthenticated network attackers read sensitive memory contents from the server process. Patched in version 0.23.0 - update now.

Overview

CVE-2026-41604 affects the serialization library Apache Thrift in versions prior to 0.23.0. The flaw exists in the framework’s handling of malformed messages during deserialization. When a specially crafted request is sent over the wire, the library can read memory outside the bounds of the intended buffer, disclosing heap data that may include credentials, session tokens, encryption keys, or other sensitive runtime information.

The vulnerability is remotely exploitable without authentication and requires no user interaction. The CVSS 8.2 score reflects the low attack complexity and network-based attack vector. Because Apache Thrift is commonly embedded within backend microservices, database connectors, and distributed system communication layers, a disclosure of in-memory data can cascade into lateral movement or privilege escalation within an internal network.

Affected Versions

All versions of Apache Thrift before 0.23.0 are vulnerable. This includes the core library in C++, Java, Python, and other supported languages.

Remediation

Update to Apache Thrift 0.23.0 immediately. The release contains a fix that validates buffer boundaries during deserialization, preventing the out-of-bounds read condition.

For environments where immediate patching is not possible:

• Restrict network access to Apache Thrift endpoints using firewalls or network segmentation.
• Monitor for anomalous or malformed messages on Thrift protocol ports.

Rebuild any applications or services that statically link or embed the affected library after updating to 0.23.0.

Security Insight

This vulnerability reflects a recurring pattern in high-performance serialization frameworks: optimizing for throughput over safety. Apache Thrift, like Protocol Buffers and FlatBuffers, has historically prioritized speed, leaving bounds-checking as a deferred implementation detail. CVE-2026-41604 is a reminder that in any library handling cross-network data parsing, memory safety must be baseline, not a feature flag. The fix in 0.23.0 is necessary but overdue; organizations should treat similar serialization libraries with a higher risk posture when evaluating their software supply chain.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs