mediumCVE-2026-54775

CoreWCF Kafka Transport Tombstone Record Denial of Service Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS6.5
EPSS0.00336
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF Kafka transport before 1.8.1 and 1.9.1 can stop processing a topic after receiving a null-value tombstone record. Update CoreWCF and restrict who can produce records to service topics.

  1. Identify CoreWCF services that consume Kafka topics through CoreWCF Kafka transport.
  2. Upgrade CoreWCF Kafka packages to 1.8.1, 1.9.1, or later.
  3. Restrict Kafka producer permissions so only trusted applications can write to CoreWCF service topics.
  4. Add monitoring for null-value tombstone records, consumer exceptions, and stalled partitions.
  5. Restart affected consumers after patching and clear any stuck processing state.
  6. Review Kafka ACLs, topic retention, and dead-letter handling for service topics.
  7. Investigate topic history for malicious or unexpected tombstone records during the vulnerable window.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm patched CoreWCF Kafka packages are loaded.
  • Produce a safe null-value tombstone test in a non-production topic and confirm consumers keep processing.
  • Verify Kafka ACLs prevent untrusted producers from writing to service topics.
  • Review consumer lag and service health after patching.
  • Run a Fixnx scan and confirm Kafka management interfaces are not publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54775?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.