Kafka Race Condition Flaw Sends Messages to Wrong Topics

CVE Notify is flagging a concerning race condition vulnerability in the Apache Kafka Java producer client. According to their report, a flaw in how the client manages its buffer pool can lead to messages being silently delivered to unintended topics. This happens when a producer batch expires due to delivery.timeout.ms while its network request is still active. The buffer holding the batch’s data is prematurely returned to the pool. If a subsequent batch, possibly for a different topic, reuses this buffer before the original request finishes, message data can become corrupted, causing it to land in the wrong place without the producer realizing.

This isn’t just a theoretical hiccup. CVE Notify highlights two major impacts: data confidentiality is compromised if sensitive messages land in topics accessible by unauthorized consumers, and data integrity suffers as incorrect or malformed messages can cause deserialization failures and downstream data corruption for legitimate consumers. The vulnerability affects Apache Kafka versions up to and including 3.9.1, 4.0.1, and 4.1.1.

To patch this, Kafka users are strongly advised to upgrade. CVE Notify points to versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or any later releases as the fixes.