Skip to main content

Eclipse OpenJ9 CVE-2026-6918

| EUVDEUVD-2026-27315 HIGH
Out-of-bounds Read (CWE-125)
2026-05-05 eclipse
8.7
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 05, 2026 - 14:01 EUVD
Source Code Evidence Fetched
May 05, 2026 - 13:30 vuln.today
Analysis Generated
May 05, 2026 - 13:30 vuln.today
CVSS changed
May 05, 2026 - 13:22 NVD
8.7 (HIGH)

DescriptionCVE.org

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

AnalysisAI

Remote unauthenticated attackers can crash Eclipse OpenJ9 JITServer instances (versions 0.21-0.58) by sending a specially crafted 32-byte TCP message, triggering a buffer over-read (CWE-125) that causes denial of service. The vulnerability requires no authentication or user interaction, affecting any exposed JITServer endpoint. CVSS 8.7 (High) reflects the severe availability impact, though EPSS data is not available for this recent CVE. Exploit code is publicly available via GitHub PR #23793, which demonstrates the bounds-checking fix, though no active exploitation is confirmed at time of analysis.

Technical ContextAI

Eclipse OpenJ9 is an open-source JVM implementation featuring JITServer, a service that offloads Just-In-Time compilation to a remote server over TCP. The vulnerability (CWE-125: Out-of-bounds Read) exists in the MessageBuffer::readData() method within runtime/compiler/net/MessageBuffer.cpp. Prior to the fix, readData() advanced the buffer cursor (_curPtr) by dataSize bytes without validating that _curPtr + dataSize remained within buffer bounds (_storage + _capacity). An attacker sending a malformed 32-byte TCP message with an inflated dataSize value triggers a read beyond allocated memory, causing a crash. The patch adds bounds checking that throws a JITServer::StreamFailure exception when read operations would exceed buffer capacity, preventing the out-of-bounds access.

RemediationAI

Upgrade Eclipse OpenJ9 to version 0.59 or later, which includes the bounds-checking fix from pull request #23793 (https://github.com/eclipse-openj9/openj9/pull/23793). The patch modifies MessageBuffer::readData() to validate buffer boundaries before advancing the cursor, throwing StreamFailure exceptions on invalid read attempts. If immediate upgrade is not feasible, implement network-level access controls to restrict JITServer TCP port access to trusted compilation clients only - use firewall rules, VPN tunnels, or mTLS authentication to prevent unauthenticated network access. Note that access restrictions reduce attack surface but do not eliminate the vulnerability if a trusted client is compromised. Disabling JITServer entirely eliminates exposure with potential performance cost for distributed compilation workloads. Monitor JITServer logs for unexpected crashes or connection patterns from untrusted sources as temporary detective control.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-6918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy