CoreWCF Kafka Transport Tombstone Record Denial of Service Vulnerability
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.
Quick answer
CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CoreWCF before 1.8.1
- CoreWCF 1.9.0 before 1.9.1
Fixed versions
- 1.8.1
- 1.9.1
How to fix it
CoreWCF Kafka transport before 1.8.1 and 1.9.1 can stop processing a topic after receiving a null-value tombstone record. Update CoreWCF and restrict who can produce records to service topics.
- Identify CoreWCF services that consume Kafka topics through CoreWCF Kafka transport.
- Upgrade CoreWCF Kafka packages to 1.8.1, 1.9.1, or later.
- Restrict Kafka producer permissions so only trusted applications can write to CoreWCF service topics.
- Add monitoring for null-value tombstone records, consumer exceptions, and stalled partitions.
- Restart affected consumers after patching and clear any stuck processing state.
- Review Kafka ACLs, topic retention, and dead-letter handling for service topics.
- Investigate topic history for malicious or unexpected tombstone records during the vulnerable window.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm patched CoreWCF Kafka packages are loaded.
- Produce a safe null-value tombstone test in a non-production topic and confirm consumers keep processing.
- Verify Kafka ACLs prevent untrusted producers from writing to service topics.
- Review consumer lag and service health after patching.
- Run a Fixnx scan and confirm Kafka management interfaces are not publicly exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-54775?
CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
