GHSA-m744-jhq9-ppw6MediumCVSS 6.5

CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.

Preconditions

The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Only allow authenticated writes to a topic

🎯 Affected products2

  • nuget/CoreWCF.Kafka:< 1.8.1
  • nuget/CoreWCF.Kafka:>= 1.9.0, < 1.9.1

🔗 References (2)