CVE-2026-40007
Apache Software Foundation · Apache IoTDB
A stack exhaustion vulnerability in Apache IoTDB's AirGap receiver allows unauthenticated attackers to cause a denial-of-service via uncontrolled recursion.
Executive summary
An unauthenticated denial-of-service vulnerability in Apache IoTDB allows remote attackers to crash the service via uncontrolled recursion.
Vulnerability
The readLength method in the AirGap receiver lacks recursion depth limits when processing socket data containing specific prefixes. An unauthenticated attacker can exploit this to exhaust the JVM stack, resulting in a StackOverflowError and service denial.
Business impact
The CVSS score of 7.5 reflects the critical nature of this denial-of-service, particularly for IoT infrastructure. Because the attack is unauthenticated and network-accessible, it can be triggered remotely to disrupt critical data collection services and impact the availability of industrial IoT environments.
Remediation
Immediate Action: Update Apache IoTDB to version 2.0.10 or later to ensure the recursion limit is correctly implemented.
Proactive Monitoring: Monitor JVM stack usage and error logs for recurring StackOverflowError exceptions or unexpected thread crashes associated with the AirGap receiver.
Compensating Controls: Use network segmentation or firewalls to restrict access to the IoTDB AirGap receiver port to only known, trusted IP addresses if immediate patching is not feasible.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Apache IoTDB users should prioritize upgrading to version 2.0.10 immediately. This update is essential to prevent potential service instability and denial-of-service attacks that could paralyze IoT data processing pipelines.