SB2026021811 - Multiple vulnerabilities in IBM Operator for Apache Flink
Published: February 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-25193)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application attempts to load a file that does not exist. A local user can create a large file on the system and crash the application.
Note, the vulnerability affects Windows installations only.
2) Resource exhaustion (CVE-ID: CVE-2024-38808)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when evaluating user-supplied SpEL expression. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Uncontrolled Recursion (CVE-ID: CVE-2024-58103)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Square Wire does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2025-55163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Resource exhaustion (CVE-ID: CVE-2025-58057)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in BrotliDecoder and some other decompressing decoders. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Resource management error (CVE-ID: CVE-2024-47535)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.
7) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2021-38153)
The vulnerability allows a local user to escalate privileges on the system.
the vulnerability exists due to some components in Apache Kafka use "Arrays.equals" to validate a password or key, which is vulnerable to timing attacks. A local user can abuse the "Arrays.equals" to brute force access credentials and escalate privileges on the system.
8) Information disclosure (CVE-ID: CVE-2024-31141)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way Apache Kafka Clients handles custom configurations. A remote user with access to REST API can read arbitrary files and variables on the system and escalate their privileges filesystem/environment access.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2023-25194)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to Apache Kafka Connect performs deserialization of data retrieved from the configured LDAP server in "com.sun.security.auth.module.JndiLoginModule". A remote user ability to create/modify connectors on the server with an arbitrary Kafka client SASL JAAS config can configure the server to connect to a malicious LDAP server and execute arbitrary Java code on the system.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2025-27819)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
11) Deserialization of Untrusted Data (CVE-ID: CVE-2025-27818)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote user can set the sasl.jaas.config property for connector's Kafka clients to 'com.sun.security.auth.module.LdapLoginModule' through various override properties (producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config). This configuration enables the server to connect to an attacker's LDAP server and deserialize the LDAP response, potentially leading to the execution of java deserialization gadget chains on the Kafka connect server.
12) Input validation error (CVE-ID: CVE-2025-24970)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in SslHandler when using native SSLEngine. A remote attacker can send a specially crafted packet to the application and perform a denial of service (DoS) attack.
13) Infinite loop (CVE-ID: CVE-2021-39194)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote user can provide arbitrary YAML input to an application that uses kaml to cause the application to endlessly loop while parsing the input leading to resource starvation and denial of service.
Remediation
Install update from vendor's website.