{"api_version":"1","generated_at":"2026-07-10T18:13:01+00:00","cve":"CVE-2026-40006","urls":{"html":"https://cve.report/CVE-2026-40006","api":"https://cve.report/api/cve/CVE-2026-40006.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-40006","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-40006"},"summary":{"title":"Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded allocation in IoTDB AirGap pipe receiver","description":"Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB.\nWhen pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver\naccepts raw TCP connections on port 9780 with no authentication. The\nreadLength method reads an attacker-controlled 32-bit integer from the\nsocket and readData passes it directly to new byte[length] with no\nupper-bound check. An unauthenticated attacker can cause the JVM to attempt\nan allocation of up to 2,147,483,647 bytes per connection, exhausting heap\nmemory and crashing or severely degrading the DataNode process.\n\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.10.\n\nUsers are recommended to upgrade to version 2.0.10, which fixes the issue.","state":"PUBLISHED","assigner":"apache","published_at":"2026-07-10 08:16:22","updated_at":"2026-07-10 16:16:29"},"problem_types":["CWE-306","CWE-770","CWE-789","CWE-789 CWE-789 Memory Allocation with Excessive Size Value","CWE-770 CWE-770 Allocation of Resources Without Limits or Throttling","CWE-306 CWE-306 Missing Authentication for Critical Function"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://lists.apache.org/thread/rfpt7m9fvdrw37r3ow5omp2n914z6zqk","name":"https://lists.apache.org/thread/rfpt7m9fvdrw37r3ow5omp2n914z6zqk","refsource":"security@apache.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2026/07/10/3","name":"http://www.openwall.com/lists/oss-security/2026/07/10/3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-40006","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40006","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache IoTDB","version":"affected 1.0.0 2.0.10 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"bugbunny.ai","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-07-10T14:54:54.148Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/07/10/3"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-40006","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-10T14:59:12.142625Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-10T14:59:16.628Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache IoTDB","vendor":"Apache Software Foundation","versions":[{"lessThan":"2.0.10","status":"affected","version":"1.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"bugbunny.ai"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB.<br><span style=\"background-color: rgb(255, 255, 255);\">When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver\naccepts raw TCP connections on port 9780 with no authentication. The\nreadLength method reads an attacker-controlled 32-bit integer from the\nsocket and readData passes it directly to new byte[length] with no\nupper-bound check. An unauthenticated attacker can cause the JVM to attempt\nan allocation of up to 2,147,483,647 bytes per connection, exhausting heap\nmemory and crashing or severely degrading the DataNode process.</span><br></p><p>This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.</p><p>Users are recommended to upgrade to version 2.0.10, which fixes the issue.</p>"}],"value":"Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB.\nWhen pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver\naccepts raw TCP connections on port 9780 with no authentication. The\nreadLength method reads an attacker-controlled 32-bit integer from the\nsocket and readData passes it directly to new byte[length] with no\nupper-bound check. An unauthenticated attacker can cause the JVM to attempt\nan allocation of up to 2,147,483,647 bytes per connection, exhausting heap\nmemory and crashing or severely degrading the DataNode process.\n\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.10.\n\nUsers are recommended to upgrade to version 2.0.10, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-789","description":"CWE-789 Memory Allocation with Excessive Size Value","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-770","description":"CWE-770 Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing Authentication for Critical Function","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-10T07:10:54.826Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/rfpt7m9fvdrw37r3ow5omp2n914z6zqk"}],"source":{"discovery":"UNKNOWN"},"title":"Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded allocation in IoTDB AirGap pipe receiver","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2026-40006","datePublished":"2026-07-10T07:10:54.826Z","dateReserved":"2026-04-08T08:41:59.817Z","dateUpdated":"2026-07-10T14:59:16.628Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-10 08:16:22","lastModifiedDate":"2026-07-10 16:16:29","problem_types":["CWE-306","CWE-770","CWE-789","CWE-789 CWE-789 Memory Allocation with Excessive Size Value","CWE-770 CWE-770 Allocation of Resources Without Limits or Throttling","CWE-306 CWE-306 Missing Authentication for Critical Function"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-10T14:59:12.142625Z","id":"CVE-2026-40006","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"40006","Ordinal":"1","Title":"Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded ","CVE":"CVE-2026-40006","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"40006","Ordinal":"1","NoteData":"Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB.\nWhen pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver\naccepts raw TCP connections on port 9780 with no authentication. The\nreadLength method reads an attacker-controlled 32-bit integer from the\nsocket and readData passes it directly to new byte[length] with no\nupper-bound check. An unauthenticated attacker can cause the JVM to attempt\nan allocation of up to 2,147,483,647 bytes per connection, exhausting heap\nmemory and crashing or severely degrading the DataNode process.\n\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.10.\n\nUsers are recommended to upgrade to version 2.0.10, which fixes the issue.","Type":"Description","Title":"Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded "}]}}}