4 matches found
CVE-2026-49361
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAXVALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting...
CVE-2026-49361 Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAXVALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting...
CVE-2026-49361
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAXVALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting...
Apache Fluss security vulnerabilities
Apache Fluss is a streaming storage system developed by the Apache Foundation in the United States. Versions 0.8.0 and 0.9.0 of Apache Fluss contain security vulnerabilities. These vulnerabilities stem from the use of Integer.MAXVALUE as the maximum frame length in the Netty...