{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-41602","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-04-21T21:28:29.894Z","datePublished":"2026-04-28T09:19:06.646Z","dateUpdated":"2026-07-09T12:09:36.541Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Thrift","vendor":"Apache Software Foundation","versions":[{"lessThan":"0.23.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"김범수"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation</p><p>This issue affects Apache Thrift: before 0.23.0.</p><p>Users are recommended to upgrade to version 0.23.0, which fixes the issue.</p>"}],"value":"Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-190","description":"CWE-190 Integer Overflow or Wraparound","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-04-28T09:19:06.646Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Thrift: Go TFramedTransport uint32 overflow","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/28/6"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-04-28T09:51:57.579Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.5,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-28T14:09:11.801841Z","id":"CVE-2026-41602","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-28T14:10:24.945Z"}},{"affected":[{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.3::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.3.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.4::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.4.5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.5::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.5.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.6::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.6.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.7::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.7.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2.14::el9"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Management for Kubernetes 2.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2.15::el9"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Management for Kubernetes 2.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2.16::el9"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Management for Kubernetes 2.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift distributed tracing 3.9.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub"],"defaultStatus":"affected","product":"Multicluster Global Hub","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:5"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:6"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:9"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","product":"OpenShift Service Mesh 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:18.0"],"defaultStatus":"unaffected","product":"Red Hat OpenStack Platform 18.0","vendor":"Red Hat"}],"datePublic":"2026-04-28T09:19:06.646Z","descriptions":[{"lang":"en","value":"A flaw was found in the Apache Thrift TFramedTransport Go language implementation. This integer overflow or wraparound vulnerability could potentially allow an attacker to cause unexpected behavior or resource exhaustion, leading to a denial of service."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-190","description":"Integer Overflow or Wraparound","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-41602"},{"name":"RHBZ#2463407","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463407"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41602.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22423"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22347"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21769"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23345"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24503"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36882"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24539"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25273"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14162"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14885"}],"solutions":[{"lang":"en","value":"RHSA-2026:22423: Multicluster Global Hub 1.3.4"},{"lang":"en","value":"RHSA-2026:22347: Multicluster Global Hub 1.4.5"},{"lang":"en","value":"RHSA-2026:21769: Multicluster Global Hub 1.5.4"},{"lang":"en","value":"RHSA-2026:23345: Multicluster Global Hub 1.6.2"},{"lang":"en","value":"RHSA-2026:24503: Multicluster Global Hub 1.7.1"},{"lang":"en","value":"RHSA-2026:36882: Red Hat Advanced Cluster Management for Kubernetes 2.14"},{"lang":"en","value":"RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15"},{"lang":"en","value":"RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16"},{"lang":"en","value":"RHSA-2026:14162: Red Hat OpenShift distributed tracing 3.9.3"},{"lang":"en","value":"RHSA-2026:14885: Red Hat OpenShift distributed tracing 3.9.3"}],"timeline":[{"lang":"en","time":"2026-04-28T10:01:16.099Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-28T09:19:06.646Z","value":"Made public."}],"title":"github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:36.541Z"}}]}}