Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN576
_____________________________________________________________________

DATE                : 02/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Fluss versions prior to
                                         0.9.1.

=====================================================================
https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373
_____________________________________________________________________

CVE-2026-49361: Apache Fluss Netty Frame Decoder Memory Exhaustion
Vulnerability

Severity: important 

Affected versions:

- Apache Fluss (incubating) 0.8.0
- Apache Fluss (incubating) 0.9.0

Description:

Apache Fluss versions prior to 0.9.1 configure the Netty
LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum
frame length, allowing unauthenticated remote attackers to exhaust
JVM heap memory on TabletServer and CoordinatorServer by sending
specially crafted frame headers, resulting in denial of service.

This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.

Users are recommended to upgrade to version 0.9.1, which fixes
the issue.

Credit:

Andrea Cosentino (reporter)

References:

https://fluss.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-49361

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================