CVE Vulnerabilities

CVE-2026-41636

Uncontrolled Recursion

Published: Apr 28, 2026 | Modified: Apr 28, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

NameVendorStart VersionEnd Version
ThriftApache*0.23.0 (excluding)
Multicluster Global Hub 1.3.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118*
Red Hat Advanced Cluster Management for Kubernetes 2.15RedHatrhacm2/acm-grafana-rhel9:1780677003*

Potential Mitigations

References