GHSA-m744-jhq9-ppw6

Source

https://github.com/advisories/GHSA-m744-jhq9-ppw6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m744-jhq9-ppw6/GHSA-m744-jhq9-ppw6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m744-jhq9-ppw6

Aliases

CVE-2026-54775

Published

2026-06-19T20:46:49Z

Modified

2026-06-19T21:00:15.896788800Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.

Details

Impact

A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.

Preconditions

The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Only allow authenticated writes to a topic

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:46:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-248",
        "CWE-754",
        "CWE-755"
    ]
}

References

Affected packages

NuGet / CoreWCF.Kafka

Package

Name: CoreWCF.Kafka; View open source insights on deps.dev
Purl: pkg:nuget/CoreWCF.Kafka

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.5.0-preview1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m744-jhq9-ppw6/GHSA-m744-jhq9-ppw6.json"