CVE-2026-6918 PUBLISHED

Assigner: eclipse
Reserved: 23.04.2026 Published: 05.05.2026 Updated: 05.05.2026

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Eclipse Foundation
Product Eclipse OpenJ9
Versions Default: unaffected
  • affected from 0.21 to 0.59 (excl.)

Credits

  • Sebastian Josue Alba Vives finder

References

Problem Types

  • CWE-125 Out-of-bounds read CWE