CVE-2026-41602: Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability

April 28, 2026 (updated May 6, 2026)

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

github.com/advisories/GHSA-wf45-q9ch-q8gh
github.com/apache/thrift
lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
nvd.nist.gov/vuln/detail/CVE-2026-41602

Code Behaviors & Features

Detect and mitigate CVE-2026-41602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →