Kafka

Hi Manikumar, The CVE seems to be still reserved and not published yet. Best, On Tue, Apr 7, 2026 at 1:49 PM Manikumar <manikumar@apache.org> wrote: > Severity: moderate > > Affected versions: > > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 2.8.0 through 3.9.1 > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.0.0 through 4.0.1 > - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.1.0 through 4.1.1 > > Description: > > A race condition in the Apache Kafka Java producer client’s buffer > pool management can cause messages to be silently delivered to > incorrect topics. > > When a produce batch expires due to delivery.timeout.ms while a > network request containing that batch is still in flight, the batch’s > ByteBuffer is prematurely deallocated and returned to the buffer pool. > If a subsequent producer batch—potentially destined for a different > topic—reuses this fr...

Severity: moderate Affected versions: - Apache Kafka Clients (org.apache.kafka:kafka-clients) 2.8.0 through 3.9.1 - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.0.0 through 4.0.1 - Apache Kafka Clients (org.apache.kafka:kafka-clients) 4.1.0 through 4.1.1 Description: A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages in...

I am not familiar with the details. Sorry. But many people run with KRaft in production for years already, so I would believe that it's not something to be seriously concerned about. Also, looking into the Jira ticket, a lot of tasks are already resolved: - https://issues.apache.org/jira/browse/KAFKA-12466 (only one open task about "shell tool integration") - https://issues.apache.org/jira/browse/KAFKA-10310 (22/36 tickets resolved) -Matthias On 3/26/26 3:14 PM, Dima Brodsky via users wrote: > Hi Matthias, > > Question regarding 4.x and controller log compaction / snapshotting > facilities. As far as I understand KIP-630 > < https://cwiki.apache.org/confluence/display/KAFKA/KIP-630%3A+Kafka+Raft+Snapshot > > is > still open and being worked on. There is still no mechanism in kraft kafka > 4.x to compact and snapshot controller metadata logs. Is there any concern > that these logs will grow q...

Hello We are running Apache Kafka 3.9.0 in z/OS. We noticed following exception/warning in Kafka logs (it comes frequently, causing space issues due to the huge logs): Ý2026-03-26 23:15:56,003¨ WARN ÝSocketServer listenerType=ZK_BROKER, nodeId=1¨ Unexpected error from / 127.0.0.1 (channelId=127.0.0.1:9092-127.0.0.1:50290-10); closing connection (org.apache.kafka.common.network.Selector) org.apache.kafka.common.KafkaException: Size of FileRecords /global/kafka/SYS/kafka-logs/xxxx.infeed.private.v1-0/00000000000000000000.log has been truncated during write: old size 194, new size 97 .at org.apache.kafka.common.record.FileRecords.writeTo(FileRecords.java:298) .at org.apache.kafka.common.record.DefaultRecordsSend.writeTo(DefaultRecordsSend.java:34) .at org.apache.kafka.common.record.RecordsSend.writeTo(RecordsSend.java:50) .at org.apache.kafka.common.record.MultiRecordsSend.writeTo(MultiRecordsSend.java:93) .at org.apache.kafka.common.network.NetworkSend.write...

Hi Matthias, Question regarding 4.x and controller log compaction / snapshotting facilities. As far as I understand KIP-630 < https://cwiki.apache.org/confluence/display/KAFKA/KIP-630%3A+Kafka+Raft+Snapshot > is still open and being worked on. There is still no mechanism in kraft kafka 4.x to compact and snapshot controller metadata logs. Is there any concern that these logs will grow quickly enough in a large, busy, cluster to impact disk usage or controller startup times? Thanks! ttyl Dima On Thu, Mar 26, 2026 at 1:47 PM Matthias J. Sax < mjsax@apache.org > wrote: > Yes, we recently did 3.9.2 release, because the move to 4.x (which is > the first version w/o ZK) is a somewhat larger step for some users. > > At this point, it's unclear if there will be 3.9.3 release or not. But > as more time progresses, and we get new releases 4.3, 4.4 out, the > probability for a 3.9.3 release decreases. > > I would highly enco...

Yes, we recently did 3.9.2 release, because the move to 4.x (which is the first version w/o ZK) is a somewhat larger step for some users. At this point, it's unclear if there will be 3.9.3 release or not. But as more time progresses, and we get new releases 4.3, 4.4 out, the probability for a 3.9.3 release decreases. I would highly encourage users to make the step off 3.x and onto 4.x. HTH, -Matthias On 3/23/26 9:12 AM, Doug Whitfield via users wrote: > I notice 3.9 is still listed as supported at https://kafka.apache.org/community/downloads/ > > Do we have any thoughts on whether there will be a 3.9.3? > > From: Matthias J. Sax < mjsax@apache.org > > Date: Tuesday, 25 November 2025 at 11:28 > To: users@kafka.apache.org < users@kafka.apache.org > > Subject: Re: Trying to gauge the eol for Kafka 3.9.1. Please help. > > Cf > https://cwiki.apache.org/confluence/display/KAFKA/Time+Based+Release+Plan#Tim...

Hi Jim, The product uses the latest kafka version i.e 4.2.0 wherein the jetty version used is still the old one 12.0.22 kafka/gradle/dependencies.gradle at 4.2.0 · apache/kafka · GitHub< https://github.com/apache/kafka/blob/4.2.0/gradle/dependencies.gradle > Regards Vivek From: Ashish Verma V < ashish.v.verma@ericsson.com > Sent: 24 March 2026 14:02 To: Jim Halfpenny <jim.halfpenny@stackable.tech> Cc: users@kafka.apache.org ; Steven Schlansker < stevenschlansker@gmail.com >; users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < abhishek.kant.rattan@ericsson.com >; Sahil Sharma D < sahil.d.sharma@ericsson.com >; Apoorva Maheshwari < apoorva.maheshwari@ericsson.com >; Vivek Agarwal B < vivek.b.agarwal@ericsson.com > Subject: RE: Version info that supports Jetty v12.0.25 ++ Vivek From: Jim Halfpenny <jim.halfpenny@stackable.tech<mailto: jim.halfpenny@stackable.tech >> Sent: 21 March 2026 15:09 ...