- Package:
- src:python-kafka
- Source:
- src:python-kafka
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-06-23 15:35:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for python-kafka. CVE-2026-10142[0]: | kafka-python prior to 2.3.2 contains a denial-of-service | vulnerability in the protocol parser that allows a malicious broker | or machine-in-the-middle attacker to exhaust memory or hang | connections by sending a crafted 4-byte frame length value without | bounds validation. Attackers can send a specially crafted frame | length through the receive_bytes() function to trigger either a | multi-gigabyte memory allocation or an uncaught ValueError that | leaves the connection in a broken state, causing requests to hang | and consumers to stop heartbeating until restart. https://github.com/dpkp/kafka-python/pull/3019 https://github.com/dpkp/kafka-python/pull/3026 Fixed by: https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b (3.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-10142 https://www.cve.org/CVERecord?id=CVE-2026-10142 Please adjust the affected versions in the BTS as needed.
Hello, Bug #1139878 in python-kafka reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/python/python-kafka/-/commit/3b98ca86867701e9dddf40d33ca4d4bc2869d45f ------------------------------------------------------------------------ * CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart. Applied upstream patch: "Validate SASL/SCRAM iterations". (Closes: #1139878, #1139822). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1139878
We believe that the bug you reported is fixed in the latest version of
python-kafka, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139878@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-kafka package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 16:14:41 +0200
Source: python-kafka
Architecture: source
Version: 2.0.2-12
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1139822 1139878
Changes:
python-kafka (2.0.2-12) unstable; urgency=medium
.
* CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
vulnerability in the protocol parser that allows a malicious broker or
machine-in-the-middle attacker to exhaust memory or hang connections by
sending a crafted 4-byte frame length value without bounds validation.
Attackers can send a specially crafted frame length through the
receive_bytes() function to trigger either a multi-gigabyte memory
allocation or an uncaught ValueError that leaves the connection in a broken
state, causing requests to hang and consumers to stop heartbeating until
restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
(Closes: #1139878, #1139822).
Checksums-Sha1:
5b9349ba28d2494a8822b22d85330ddb8d0d1803 2299 python-kafka_2.0.2-12.dsc
e1086f767263824c1991ac678fbe5193c14422a6 11276 python-kafka_2.0.2-12.debian.tar.xz
00539bdd4a7e0dfcd2e1c88b17542f1db725f74e 8877 python-kafka_2.0.2-12_amd64.buildinfo
Checksums-Sha256:
fd521e7f29eb9d32f65aaf802202ac90baec07dcf24d8a83df39c09d9e3c81b2 2299 python-kafka_2.0.2-12.dsc
772800ce1dbb107e368c2d580e78f4c7f04e38c25dccdcea7a62ff663ea45ec6 11276 python-kafka_2.0.2-12.debian.tar.xz
efbe00c389f78ca6f10aa7444a3e7ec5d4e8644a7c3cb0107ba6417b5a7983d3 8877 python-kafka_2.0.2-12_amd64.buildinfo
Files:
b6c99144d03f0d07f6f5418a54993b31 2299 python optional python-kafka_2.0.2-12.dsc
9db2c7a891cc2569002dbd013c284609 11276 python optional python-kafka_2.0.2-12.debian.tar.xz
8b65c351b853a9187ab6e6b39a52d160 8877 python optional python-kafka_2.0.2-12_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotaK4ACgkQ1BatFaxr
Q/6eQA/+KUNvf6VVyPCBId0HwKjmrVYUbtg5d0ZUVWIm9fPO8UxcViDzwCXY4LDl
56Bb6jraWmE19fSza/DqBAsRQuXbdPl+ULxzhBiu5eQqZza+0jBT/HAnVPSL9yzf
pA9r+oEiZXCxP5sw7uCSDpiDwdfpfgI1iVAUD7vBF40JYEA00lPb9HbUoTpg8bdY
zoAdyWvCFRRpOxydxiA2QnBkQ59Fa/pocQgzOnWAmXtMQp+1NWQB2oJcnLOovIY/
Su8roojWqOxm3FBadQu5Oq9Ijj1x+/foSfAUyCsF2eWnMFoxmOg9pPtexFTn87HJ
F6M7NLnQkTcOl5f1OQyjsH/mt6i/qArcFRTzc/FNKPAZZ9cEfHzvOHYRxkOtQUPT
NTd2tltpY8iG7XluKZhy9Z9znNjqMevPYklY4Xodt/QdjU9P0ivfbZe2Y2rMwrrG
QKDgLS2IO9vT1/0YGglkar/zAc3iM4UItyf40MHKL02A7fuJne3l318XiR7qwXz3
mykjzH+VmaiJvbDq2yF7MX/b9aJVGoJN6hbq4oY+Hh4qxWZZ+RfcgQTTAt9Guqcp
K/mmkkSwt/VUqvYy8DS33aC/ra1HxOVa/GT0klU0Z2ygrRd0ZJ687hVF/18ukSGc
YA5y4eIP8D2tVEWK/sH2O1st1TwTW30latWXE3qWXWfjzUkaBE8=
=QUyg
-----END PGP SIGNATURE-----
python-kafka (2.0.2-12) unstable; urgency=medium
.
* CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
vulnerability in the protocol parser that allows a malicious broker or
machine-in-the-middle attacker to exhaust memory or hang connections by
sending a crafted 4-byte frame length value without bounds validation.
Attackers can send a specially crafted frame length through the
receive_bytes() function to trigger either a multi-gigabyte memory
allocation or an uncaught ValueError that leaves the connection in a broken
state, causing requests to hang and consumers to stop heartbeating until
restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
(Closes: #1139878, #1139822).
This is the fix for CVE-2026-10143.
https://github.com/dpkp/kafka-python/commit/bdb46ab1fe4f090dd8bf710c7ddb778993bbc16b
Upstream additionally lists as needed for the CVEs:
https://github.com/dpkp/kafka-python/commit/7250337f54ee60695f2a7faedd1ec2758fc7ac29
Further details:
https://github.com/dpkp/kafka-python/issues/3014#issuecomment-4663299889
cu
Adrian