Description
The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
Published: 2026-06-26
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can write to the shared /tmp directory of a Wolfram Cloud instance to place malicious .jar files that the default Java Virtual Machine will load before legitimate libraries during startup. The attacker can thereby execute arbitrary code in the context of the victim's JVM, effectively achieving privilege escalation or complete compromise of the cloud environment.

Affected Systems

The affected systems are Wolfram Research Inc. Cloud instances that run the default JVM configuration exposing the /tmp/UserTemporaryFiles/ directory. No specific product versions are listed, so all instances that allow shared /tmp access are potentially vulnerable.

Risk and Exploitability

The CVSS score marks this as Critical, confirming the high severity of the described Remote Code Execution. Even without an EPSS score and without inclusion in CISA's KEV catalog, an attacker with write access to the shared /tmp space can preemptively place malicious libraries that the Vulnerable JVM will load first. The vulnerability requires only a lower‑privileged user on the same cloud instance to write to /tmp; once the attacker’s jar is placed, the JVM will load it automatically, giving the attacker control of the victim process.

Generated by OpenCVE AI on June 26, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wolfram Cloud instance to a patched release that removes or secures the default /tmp access for the JVM.
  • Reconfigure the JVM to use a dedicated, non‑shared temporary directory that is owned exclusively by the service account and restrict read/write permissions to that account alone.
  • Disable the use of -init files or otherwise ensure that only trusted libraries are included in the classpath during startup, and consider implementing a secure classprevent loading of arbitrary code from user‑controlled locations.

Generated by OpenCVE AI on June 26, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-426

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-426
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
Title Unprotected temporary directories in Wolfram Cloud may result in privilege escalation
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-26T17:40:10.720Z

Reserved: 2025-10-17T14:38:44.831Z

Link: CVE-2025-11919

cve-icon Vulnrichment

Updated: 2026-06-26T15:49:25.791Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:00:05Z

Weaknesses

No weakness.