Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with required user interaction to trigger the JNI path; impact is solely availability loss (crash); no privileges beyond local access needed.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A heap buffer overflow vulnerability exists in the Jansi JNI "ioctl()" wrapper due to a lack of size verification for the argument array before the system call. This can lead to heap corruption and application crashes (DoS). All versions are believed to be vulnerable. This project is unmaintained at the time of CVE assignment.
AnalysisAI
Heap corruption in fusesource Jansi's JNI native layer exposes Java applications to denial-of-service through application crashes. The JNI wrapper around the ioctl() system call omits array-size bounds checking before passing the argument array into native heap memory, enabling a heap buffer overflow condition reachable by any local actor who can influence that code path. No fix will be released - the project is confirmed unmaintained at the time CVE-2026-8484 was assigned, and all known versions carry this defect. No public exploit code or active KEV-confirmed exploitation has been identified at time of analysis.
Technical ContextAI
Jansi (CPE: cpe:2.3:a:fusesource:jansi:*:*:*:*:*:*:*:*) is a Java library that uses JNI (Java Native Interface) to provide ANSI terminal escape-sequence support on platforms that otherwise lack it natively. The vulnerability resides in native C code wrapping the POSIX ioctl() system call: before invoking the syscall, the wrapper copies caller-supplied argument data into a heap-allocated buffer without first verifying that the source data fits within the destination's allocated size. CWE-122 (Heap-based Buffer Overflow) describes exactly this root cause - when a write into a heap buffer exceeds its bounds, adjacent heap metadata or object memory is overwritten, leading to heap corruption. In this case the reporter confirms the reachable outcome is availability loss (crash/DoS); arbitrary code execution is not claimed.
RemediationAI
No vendor-released patch has been identified at time of analysis, and none is anticipated given the project's confirmed unmaintained status. The primary remediation is migration away from Jansi to an actively maintained alternative that provides ANSI terminal support without a vulnerable native JNI layer. If migration is not immediately feasible, assess whether your application exercises Jansi's ioctl() JNI wrapper through a code path reachable by untrusted or attacker-influenced input; if that path cannot be reached from external input, the practical risk may be low pending migration. As a short-term compensating control, consider restricting JNI permissions via your Java security policy or container sandbox (e.g., seccomp profiles blocking ioctl() syscalls where not needed), noting this may degrade or break terminal color/ANSI functionality. Dependency management tooling such as Maven Enforcer or Dependabot should be configured to flag Jansi as a banned dependency to prevent future reintroduction. Consult the CERT-PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-8484 for additional reporter guidance.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37064
GHSA-fh45-7f3j-r575