Skip to main content

Openj9

14 CVEs product

Monthly

CVE-2025-4447 HIGH PATCH This Week

In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Openj9 Red Hat Suse
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2024-10917 MEDIUM PATCH This Month

In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow Information Disclosure Openj9
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-3933 HIGH PATCH This Week

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

IBM Buffer Overflow Information Disclosure Openj9
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2023-5676 MEDIUM PATCH This Month

In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Openj9
NVD GitHub
CVSS 3.1
5.9
EPSS
0.4%
CVE-2023-2597 CRITICAL PATCH Act Now

In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Openj9
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2022-3676 MEDIUM PATCH This Month

In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openj9
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-41035 CRITICAL PATCH Act Now

In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Openj9
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-28167 MEDIUM POC This Month

In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Openj9
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2019-17631 CRITICAL Act Now

From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openj9 Satellite Enterprise Linux Enterprise Linux Desktop +3
NVD
CVSS 3.1
9.1
EPSS
2.1%
CVE-2019-11775 HIGH This Week

All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Openj9 Satellite Enterprise Linux Desktop Enterprise Linux Server +1
NVD
CVSS 3.1
7.4
EPSS
1.5%
CVE-2019-11772 CRITICAL Act Now

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Buffer Overflow Memory Corruption Openj9
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-11771 HIGH This Week

AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Openj9
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-10245 HIGH PATCH This Week

In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Openj9 Satellite Enterprise Linux +3
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2018-12539 HIGH PATCH This Week

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Java Microsoft IBM Information Disclosure Openj9 +1
NVD
CVSS 3.0
7.8
EPSS
0.5%
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Openj9 +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow Information Disclosure Openj9
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

IBM Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Openj9
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Openj9
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openj9
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Openj9
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Openj9
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openj9 Satellite +5
NVD
EPSS 1% CVSS 7.4
HIGH This Week

All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Openj9 Satellite +3
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Buffer Overflow Memory Corruption +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Openj9
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Openj9 +5
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Java Microsoft IBM +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy