{
  "threat_severity" : "Important",
  "public_date" : "2026-06-10T20:22:39Z",
  "bugzilla" : {
    "description" : "kafka-python: kafka-python: Denial of Service via excessive SCRAM authentication iteration count",
    "id" : "2487722",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2487722"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-606",
  "details" : [ "kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.", "A flaw was found in kafka-python. A malicious or machine-in-the-middle broker could exploit a denial-of-service vulnerability during SCRAM authentication. By providing an excessively large iteration count, the broker can cause the client's event loop to freeze. This prevents critical operations such as sending messages, polling for new messages, and maintaining heartbeats, ultimately leading to consumer group eviction and persistent connection failures." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Quay 3.9",
    "release_date" : "2026-06-23T00:00:00Z",
    "advisory" : "RHSA-2026:28571",
    "cpe" : "cpe:/a:redhat:quay:3.9::el8",
    "package" : "quay/quay-rhel8:1781878070"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/quay-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-10143\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-10143\nhttps://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b\nhttps://github.com/dpkp/kafka-python/pull/3019\nhttps://github.com/dpkp/kafka-python/pull/3026\nhttps://www.vulncheck.com/advisories/kafka-python-prior-to-dos-via-scram-iteration-count-in-scram-py" ],
  "name" : "CVE-2026-10143",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}