Do Son 
Apache Thrift, the powerhouse framework used by tech giants to bridge communication between different programming languages, has issued a sweeping security update. The project recently disclosed a series of vulnerabilities—ranging from memory corruption to critical certificate validation failures—that affect nearly every major language binding, including Java, Go, C++, Node.js, and Swift.
Security teams are urged to move quickly, as several of these issues could lead to complete system compromise or persistent service outages.
The most severe disclosure in this batch is CVE-2026-41603, a critical vulnerability in the Java TSSLTransportFactory.
The framework fails to properly validate certificates when there is a host mismatch. In practice, this means an attacker could perform a Man-in-the-Middle (MitM) attack, successfully impersonating a legitimate Thrift server even over an encrypted SSL/TLS connection.
While Java struggles with identity, other language bindings are facing classic memory management and math errors that can be weaponized by specially crafted inputs.
- The “Invalid Pointer” Crash (C/glib): Under CVE-2025-48431, attackers can send malicious requests that trigger mismatched memory management routines. This results in a fatal free(): invalid pointer error, instantly crashing the server.
- Integer Overflows (Go & Swift): Both the Go implementation (CVE-2026-41602) and the Swift Compact Protocol (CVE-2026-41605) are vulnerable to integer overflows or wraparound errors. These can often be used to bypass security checks or cause unpredictable behavior in the transport layer.
- Out-of-Bounds Reads (C++ & Swift): CVE-2026-41607 and CVE-2026-41604 allow attackers to read data beyond the intended memory buffers, potentially leaking sensitive information from the server’s process memory.
Complexity in parsing nested data has also led to uncontrolled recursion vulnerabilities in the c_glib and Node.js bindings (CVE-2026-41606 and CVE-2026-41636). By sending deeply nested objects, an attacker can force the server to exhaust its stack memory, leading to a typical Denial of Service (DoS) state.
The Apache Thrift team has simplified the recovery process. Regardless of which language binding your project uses, the solution is a unified upgrade.
All users on versions prior to 0.23.0 should upgrade to Apache Thrift 0.23.0 immediately to resolve these issues.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
