Description
In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.
Published: 2026-05-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Eclipse OpenJ9 JITServer is vulnerable to a pre‑authentication remote crash. By sending a single 32‑byte crafted TCP packet, an attacker can cause the JITServer component to terminate. The effect is a loss of service for any JVMs using the compromised OpenJ9 build, disrupting application availability and potentially cascading into larger infrastructure downtime.

Affected Systems

The flaw affects Eclipse OpenJ9 releases from version 0.21 through 0.58, all distributed by the Eclipse Foundation. Systems running any affected OpenJ9 JVM on Linux, Windows, macOS, or other supported platforms that accept network traffic to the JITServer endpoint are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability carries a high severity rating. The EPSS score is not available, but the lack of an authentication requirement and the ability to trigger a crash from any remote host elevate the risk. The vulnerability is not listed in CISA’s KEV catalog, yet the simplicity of the exploit and its remote nature warrant rapid response. An attacker can reach the target by opening the JITServer TCP port and dispatching the malicious packet, making the flaw highly actionable.

Generated by OpenCVE AI on May 5, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Eclipse OpenJ9 0.59 or later, which removes the JITServer crash vulnerability.
  • If an upgrade cannot be applied immediately, block or filter inbound traffic on the JITServer TCP port (default 7800) to prevent remote clients from sending the crafted packet.
  • Monitor JVM logs for abrupt JITServer termination events and ensure that any recovery mechanisms or fail‑over strategies are in place to maintain application availability.

Generated by OpenCVE AI on May 5, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eclipse:openj9:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse openj9
Vendors & Products Eclipse
Eclipse openj9

Tue, 05 May 2026 13:45:00 +0000

Type Values Removed Values Added
Title Pre‑authentication Remote Crash of JITServer in Eclipse OpenJ9

Tue, 05 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Eclipse Openj9
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-05-05T13:11:47.122Z

Reserved: 2026-04-23T16:00:33.514Z

Link: CVE-2026-6918

cve-icon Vulnrichment

Updated: 2026-05-05T13:11:36.933Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T13:16:30.710

Modified: 2026-05-05T20:08:58.747

Link: CVE-2026-6918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T14:00:06Z

Weaknesses