Intel

AIKIDO-2026-854310

karafka-rdkafka is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

84

High Risk

This Affects:

rubykarafka-rdkafka
0.0.0 - 0.27.2
Fixed in 0.28.0
Are you affected? Scan for Free

TL;DR

The package's native admin result parsing used an incorrect out-parameter size (:int32 instead of librdkafka's size_t), which can write past allocated memory and cause heap overflow/undefined behavior on every admin operation result parse. The update fixes this sizing mismatch, and also corrects native lifetime/cleanup for admin background events and related handle/error paths to prevent deadlocks and native memory leaks/double-frees.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

karafka-rdkafka is vulnerable to Heap-based Buffer Overflow in versions 0.0.0 - 0.27.2.

How to fix this

Upgrade the karafka-rdkafka library to the patch version.