Home

Description

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

PUBLISHED Reserved 2026-04-23 | Published 2026-05-05 | Updated 2026-05-05 | Assigner eclipse




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-125 Out-of-bounds read

Product status

Default status
unaffected

0.21 (semver) before 0.59
affected

Credits

Sebastian Josue Alba Vives finder

References

github.com/...openj9/security/advisories/GHSA-q393-vr4c-969r exploit

github.com/...openj9/security/advisories/GHSA-q393-vr4c-969r

github.com/eclipse-openj9/openj9/pull/23793

cve.org (CVE-2026-6918)

nvd.nist.gov (CVE-2026-6918)

Download JSON