CVE-2026-43868 Overview
CVE-2026-43868 is a Memory Allocation with Excessive Size Value vulnerability [CWE-789] affecting Apache Thrift versions before 0.23.0. Apache Thrift is a widely deployed cross-language Remote Procedure Call (RPC) framework used to build scalable services across heterogeneous environments. The flaw allows a remote, unauthenticated attacker to trigger excessive memory allocation by sending crafted input over the network. Successful exploitation results in resource exhaustion, leading to a denial-of-service condition on services that parse untrusted Thrift messages. The Apache Thrift project has released version 0.23.0 to address the issue.
Critical Impact
Remote, unauthenticated attackers can trigger excessive memory allocation in Apache Thrift services, causing denial of service through resource exhaustion.
Affected Products
- Apache Thrift versions before 0.23.0
- Applications and services embedding the Apache Thrift runtime libraries
- Cross-language RPC services exposing Thrift-compatible endpoints
Discovery Timeline
- 2026-05-05 - CVE-2026-43868 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43868
Vulnerability Analysis
The vulnerability is classified under [CWE-789] (Memory Allocation with Excessive Size Value). Apache Thrift parses incoming serialized messages that include length or size fields describing subsequent data structures such as lists, maps, sets, and binary blobs. When the runtime accepts an attacker-controlled size field without validating it against the actual size of the incoming message or against a sane upper bound, it allocates a buffer corresponding to that declared size. An attacker can declare an extremely large size while sending a small payload, forcing the server to attempt large allocations.
The attack vector is network-based, requires no authentication, and requires no user interaction. The impact is limited to availability — the flaw does not expose data confidentiality or integrity. Services that process Thrift traffic from untrusted clients are most exposed, particularly internet-facing gateways and microservice ingress points.
Root Cause
The root cause is insufficient validation of size and length fields embedded in Thrift protocol messages prior to allocating memory. The deserializer trusts the declared element count or byte length and allocates buffers accordingly, without enforcing limits proportional to the message frame.
Attack Vector
An attacker sends a crafted Thrift message to any reachable endpoint that uses the vulnerable runtime. The message advertises an oversized container or binary field. The server attempts to allocate the requested memory and either fails outright or exhausts available memory, terminating the process or degrading the host. Repeated requests amplify the impact across pooled worker processes.
No verified public proof-of-concept code is available. See the Apache Security Mailing List Thread for vendor details.
Detection Methods for CVE-2026-43868
Indicators of Compromise
- Repeated process crashes or out-of-memory (OOM) terminations on services that expose Thrift endpoints.
- Sudden spikes in resident memory consumption on Thrift server processes without a corresponding rise in legitimate request volume.
- Connection patterns where small request payloads correlate with large memory allocations on the receiver.
Detection Strategies
- Inventory all services using Apache Thrift libraries and identify versions older than 0.23.0 through software composition analysis.
- Inspect Thrift traffic at the application layer for messages declaring container or binary sizes that exceed the actual frame length.
- Correlate process restart events from orchestration platforms with inbound network activity targeting Thrift ports.
Monitoring Recommendations
- Enable memory and OOM-kill alerts on hosts running Thrift-based services and forward them to centralized logging.
- Track request-to-memory ratios per service and alert on outliers indicative of allocation amplification.
- Monitor advisories from the Apache Security Mailing List Thread for follow-on guidance.
How to Mitigate CVE-2026-43868
Immediate Actions Required
- Upgrade Apache Thrift to version 0.23.0 or later across all affected applications, language bindings, and container images.
- Identify and prioritize internet-facing or untrusted-network-facing Thrift endpoints for immediate remediation.
- Rebuild and redeploy any services that statically link or vendor the Thrift runtime to ensure the patched version is in use.
Patch Information
The Apache Thrift project fixed this issue in version 0.23.0. Refer to the Apache Security Mailing List Thread for the official advisory and release notes.
Workarounds
- Restrict network exposure of Thrift endpoints using firewalls, service mesh policies, or mutual TLS to trusted clients only.
- Place Thrift services behind a reverse proxy that enforces request size limits proportional to expected payloads.
- Apply per-process memory limits using cgroups or container runtime constraints to contain allocation abuse until patching is complete.
# Configuration example: enforce a memory ceiling on a Thrift service container
docker run --memory=512m --memory-swap=512m \
--name thrift-service \
my-thrift-image:patched-0.23.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
