This vulnerability (CVE-2026-41726) in Spring for Apache Kafka arises when an application opts into DelegatingDeserializer. A producer can exploit this by sending records with unique random spring.kafka.serialization.selector header values, causing the consumer's heap memory to grow without limits. This unbounded resource allocation leads to excessive garbage collection activity and eventually an OutOfMemoryError, disrupting application availability. The affected versions span multiple release lines: 2.8.0 to 2.8.11, 2.9.0 to 2.9.13, 3.2.0 to 3.2.13, 3.3.0 to 3.3.15, and 4.0.0 to 4.0.5. There is no vendor advisory or patch currently available, and no known exploits in the wild have been reported.

Exploitation of this vulnerability can cause denial of service by exhausting the consumer application's heap memory, leading to garbage collection thrashing and OutOfMemoryError. This impacts application availability but does not affect confidentiality or integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider avoiding the use of DelegatingDeserializer or implementing application-level limits on the number of unique spring.kafka.serialization.selector header values processed to mitigate unbounded memory growth.