Skip to main content

Eclipse Vert.x CVE-2026-6860

| EUVDEUVD-2026-27655 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-06 emo@eclipse.org GHSA-3g76-f9xq-8vp6
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 06, 2026 - 10:30 vuln.today
Analysis Generated
May 06, 2026 - 10:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2,106 maven packages depend on io.vertx:vertx-core (166 direct, 1,940 indirect)

Ecosystem-wide dependent count for version 4.3.4.

DescriptionCVE.org

A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

AnalysisAI

Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.

Technical ContextAI

The vulnerability exists in Eclipse Vert.x's TLS/SSL implementation, specifically in the SslContextProvider and SslContextManager classes that handle Server Name Indication (SNI) hostname resolution during TLS handshakes. The root cause is improper cache management in the SNI lookup mechanism: the original implementation used unbounded ConcurrentHashMap structures to cache SSL contexts keyed by server name. When a client presents a TLS SNI extension with a hostname matching a wildcard certificate pattern (e.g., *.example.com), the server accepts any XYZ.example.com variant without proper validation that the requested hostname is actually authorized for that certificate. This allows an attacker to request SSL contexts for arbitrary subdomain names that match the wildcard pattern, causing the server to return valid SSL contexts intended for different purposes. The fix introduces an LruCache (Least Recently Used cache) with bounded size (DEFAULT_SNI_CACHE_SIZE=16) to limit memory exposure and proper synchronization to prevent race conditions in multi-threaded scenarios. The underlying protocol involved is TLS 1.2/1.3 with SNI (RFC 6066), which allows clients to specify the intended server hostname during the handshake to support virtual hosting over TLS.

RemediationAI

Upgrade Eclipse Vert.x to a patched version that includes PR #6102 or later. The upstream fix is available in the GitHub repository (https://github.com/eclipse-vertx/vert.x/pull/6102) and the security advisory at https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6. Check the Vert.x release notes for the specific release version incorporating this fix (likely 4.x.x or 5.x.x depending on your branch). As a temporary mitigation before patching: (1) Disable SNI if not required by setting setSni(false) in NetServerOptions and NetClientOptions-trade-off is loss of virtual hostname support over TLS; (2) Replace wildcard certificates (*.example.com) with subject alternative names (SANs) listing only the intended subdomains-trade-off is certificate management complexity; (3) Implement an external reverse proxy with proper hostname validation before requests reach the Vert.x application, forwarding only validated hostnames-trade-off is additional infrastructure overhead. The patch itself modifies SNI caching from unbounded ConcurrentHashMap to bounded LruCache with size 16, adds synchronization to prevent race conditions, and tightens hostname matching validation logic in SslContextProvider.

Vendor StatusVendor

Share

CVE-2026-6860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy