This vulnerability involves a race condition in the Apache Kafka Java producer client's buffer pool management. When a produce batch expires due to delivery.timeout.ms while its network request is still in flight, the batch's ByteBuffer is prematurely freed and returned to the buffer pool. If a subsequent batch reuses this freed buffer before the original request completes, the buffer contents may become corrupted. This results in messages being delivered to unintended topics without error notification to the producer. The issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. Upgrading to versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later addresses the vulnerability.

Messages may be delivered to incorrect topics, potentially exposing sensitive data to unauthorized consumers and causing data integrity issues such as deserialization failures and corrupted downstream data processing. This silent message misdelivery can undermine confidentiality and integrity of Kafka messaging systems.

Users should upgrade Apache Kafka clients to versions 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later where this vulnerability is fixed. Patch status is not explicitly stated in the vendor advisory, but the recommended versions indicate an official fix is available. No alternative mitigations or temporary fixes are documented.