1 article
Apache Thrift 0.23.0 addresses two vulnerabilities: CVE-2026-41604, an out-of-bounds read in the binary protocol parser affecting all language bindings that can crash Thrift-based services and potentially leak memory contents; and CVE-2026-41636, an uncontrolled recursion flaw in the Node.js library that enables remote denial of service via deeply nested Thrift structures. Organisations operating Thrift-based microservices or inter-service RPC should upgrade to 0.23.0.