CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-40007

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-10
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticated attacker can send a stream of repeated E-language prefixes that drives the recursion arbitrarily deep, exhausting the receiver thread's JVM stack and raising StackOverflowError. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

⚡ Watch CVE-2026-40007

Get an email if CVE-2026-40007 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-40007

CVE.org record

Embed the live status

CVE-2026-40007 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-40007 status](https://www.csirts.com/badge/CVE-2026-40007)](https://www.csirts.com/cve/CVE-2026-40007)