CVE-2026-40007

Apache Software Foundation · Apache IoTDB

A stack exhaustion vulnerability in Apache IoTDB's AirGap receiver allows unauthenticated attackers to cause a denial-of-service via uncontrolled recursion.

Executive summary

An unauthenticated denial-of-service vulnerability in Apache IoTDB allows remote attackers to crash the service via uncontrolled recursion.

Vulnerability

The readLength method in the AirGap receiver lacks recursion depth limits when processing socket data containing specific prefixes. An unauthenticated attacker can exploit this to exhaust the JVM stack, resulting in a StackOverflowError and service denial.

Business impact

The CVSS score of 7.5 reflects the critical nature of this denial-of-service, particularly for IoT infrastructure. Because the attack is unauthenticated and network-accessible, it can be triggered remotely to disrupt critical data collection services and impact the availability of industrial IoT environments.

Remediation

Immediate Action: Update Apache IoTDB to version 2.0.10 or later to ensure the recursion limit is correctly implemented.

Proactive Monitoring: Monitor JVM stack usage and error logs for recurring StackOverflowError exceptions or unexpected thread crashes associated with the AirGap receiver.

Compensating Controls: Use network segmentation or firewalls to restrict access to the IoTDB AirGap receiver port to only known, trusted IP addresses if immediate patching is not feasible.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Apache IoTDB users should prioritize upgrading to version 2.0.10 immediately. This update is essential to prevent potential service instability and denial-of-service attacks that could paralyze IoT data processing pipelines.