kafka-python prior to 2.3.2 DoS via SCRAM Iteration Count in scram.py
Summary
| CVE | CVE-2026-10143 |
|---|---|
| State | PUBLISHED |
| Assigner | VulnCheck |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-10 22:16:55 UTC |
| Updated | 2026-07-01 13:16:42 UTC |
| Description | kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.005170000 probability, percentile 0.401910000 (date 2026-07-04)
Problem Types: CWE-400 | CWE-606 | CWE-400 CWE-400 Uncontrolled Resource Consumption | CWE-606 Unchecked Input for Loop Condition
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Dpkp | Kafka-python | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Dana Powers | Kafka-python | affected 2.3.2 git | Not specified |
| ADP | Red Hat | Red Hat Quay 3.10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.12 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:33683 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30076 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:28571 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-10143.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3... | [email protected] | github.com | Patch |
| www.vulncheck.com/advisories/kafka-python-prior-to-dos-via-scram-iteration-coun... | [email protected] | www.vulncheck.com | Patch, Third Party Advisory |
| github.com/dpkp/kafka-python/pull/3026 | [email protected] | github.com | Issue Tracking, Patch |
| access.redhat.com/security/cve/CVE-2026-10143 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/dpkp/kafka-python/pull/3019 | [email protected] | github.com | Issue Tracking, Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Katriel Moses (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-10T21:02:14.712Z | Reported to Red Hat. |
| ADP | 2026-06-10T20:22:39.262Z | Made public. |
Solutions
ADP: RHSA-2026:33683: Red Hat Quay 3.10
ADP: RHSA-2026:30076: Red Hat Quay 3.12
ADP: RHSA-2026:28571: Red Hat Quay 3.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.