Skip to main content

Jansi EUVDEUVD-2026-37064

| CVE-2026-8484 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-06-16 CERT-PL GHSA-fh45-7f3j-r575
4.8
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local vector with required user interaction to trigger the JNI path; impact is solely availability loss (crash); no privileges beyond local access needed.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 11:51 vuln.today

DescriptionCVE.org

A heap buffer overflow vulnerability exists in the Jansi JNI "ioctl()" wrapper due to a lack of size verification for the argument array before the system call. This can lead to heap corruption and application crashes (DoS). All versions are believed to be vulnerable. This project is unmaintained at the time of CVE assignment.

AnalysisAI

Heap corruption in fusesource Jansi's JNI native layer exposes Java applications to denial-of-service through application crashes. The JNI wrapper around the ioctl() system call omits array-size bounds checking before passing the argument array into native heap memory, enabling a heap buffer overflow condition reachable by any local actor who can influence that code path. No fix will be released - the project is confirmed unmaintained at the time CVE-2026-8484 was assigned, and all known versions carry this defect. No public exploit code or active KEV-confirmed exploitation has been identified at time of analysis.

Technical ContextAI

Jansi (CPE: cpe:2.3:a:fusesource:jansi:*:*:*:*:*:*:*:*) is a Java library that uses JNI (Java Native Interface) to provide ANSI terminal escape-sequence support on platforms that otherwise lack it natively. The vulnerability resides in native C code wrapping the POSIX ioctl() system call: before invoking the syscall, the wrapper copies caller-supplied argument data into a heap-allocated buffer without first verifying that the source data fits within the destination's allocated size. CWE-122 (Heap-based Buffer Overflow) describes exactly this root cause - when a write into a heap buffer exceeds its bounds, adjacent heap metadata or object memory is overwritten, leading to heap corruption. In this case the reporter confirms the reachable outcome is availability loss (crash/DoS); arbitrary code execution is not claimed.

RemediationAI

No vendor-released patch has been identified at time of analysis, and none is anticipated given the project's confirmed unmaintained status. The primary remediation is migration away from Jansi to an actively maintained alternative that provides ANSI terminal support without a vulnerable native JNI layer. If migration is not immediately feasible, assess whether your application exercises Jansi's ioctl() JNI wrapper through a code path reachable by untrusted or attacker-influenced input; if that path cannot be reached from external input, the practical risk may be low pending migration. As a short-term compensating control, consider restricting JNI permissions via your Java security policy or container sandbox (e.g., seccomp profiles blocking ioctl() syscalls where not needed), noting this may degrade or break terminal color/ANSI functionality. Dependency management tooling such as Maven Enforcer or Dependabot should be configured to flag Jansi as a banned dependency to prevent future reintroduction. Consult the CERT-PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-8484 for additional reporter guidance.

Share

EUVD-2026-37064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy