oss-security - CVE-2025-48431: Apache Thrift glibc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <9d8f6f59-71ed-279d-a1d1-e57a589d072a@apache.org>
Date: Tue, 28 Apr 2026 00:01:21 +0000
From: Jens Geyer <jensg@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-48431: Apache Thrift glibc language bindings: Specially
 crafted input can crash a c_glib Thrift server with invalid pointer error.

Severity: important 

Affected versions:

- Apache Thrift glibc language bindings before 0.23.0

Description:

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Credit:

Hasnain Lakhani (finder)
Hasnain Lakhani (remediation developer)

References:

https://thrift.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48431

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.