[
https://issues.apache.org/jira/browse/KAFKA-18820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vishal resolved KAFKA-18820.
----------------------------
Fix Version/s: 4.0.0
Resolution: Fixed
Resolving since issue was fixed in 4.0.0.
> CVE-2025-24970 [netty-handler]
> ------------------------------
>
> Key: KAFKA-18820
> URL: https://issues.apache.org/jira/browse/KAFKA-18820
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.6.3, 3.7.3, 3.8.2, 3.9.0
> Reporter: Vishal
> Priority: Major
> Fix For: 4.0.0
>
>
> Netty, an asynchronous, event-driven network application framework, has a
> vulnerability starting in version 4.1.91.Final and prior to version
> 4.1.118.Final. When a special crafted packet is received via SslHandler it
> doesn't correctly handle validation of such a packet in all cases which can
> lead to a native crash. Version 4.1.118.Final contains a patch. As workaround
> its possible to either disable the usage of the native SSLEngine or change
> the code manually.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2025-24970]
> *Fix Version :* 4.1.118.Final
> _This issue was created with the help of static security scanners._
> The kafka binary uses netty-handler 4.1.111.Final
> The kafka java library uses 4.1.115.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
