debian · CVE-2026-10143

Quick triage

Priority: not yet assigned Published: Updated: Wed, 08 Jul 2026 05:48:42 GMT

View at Official debian advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2026-10143 not yet assigned priority: Debian including 1 source packages (python-kafka), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2.

Description:

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

cvelogic Threat Intelligence