Description
In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).
Published: 2026-06-18
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Eclipse 4diac FORTE versions 3.0.0 through 3.1.0 contain a use‑after‑free condition triggered by a crafted DELETE connection command sent to the management interface. The bug causes a dangling pointer to remain after a connection has been deleted, and subsequent commands can dereference the freed memory. An attacker who can supply such a command could read or corrupt data in memory, potentially crashing the application or manipulating its internal state.

Affected Systems

Eclipse Foundation's Eclipse 4diac FORTE product is affected. The vulnerable releases are 3.0.0 up to and including 3.1.0. No other versions have been identified as affected.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity vulnerability. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. Based on the description, it is inferred that an attacker must be able to send crafted DELETE connection requests to the management interface, which could be accessed locally or over a network. Exploitation could result in application crashes or memory corruption, but no proof of arbitrary code execution is documented.

Generated by OpenCVE AI on June 18, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eclipse 4diac FORTE to a version after 3.1.0 that eliminates the use‑after‑free flaw.
  • Restrict access to the management interface by limiting network exposure to trusted hosts or implementing role‑based authentication.
  • Validate all DELETE connection commands on the server side to reject malformed requests and prevent dereferencing of freed memory.

Generated by OpenCVE AI on June 18, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free via DELETE Connection in Eclipse 4diac FORTE Management Interface

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/S:P/RE:L/U:Green'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-18T14:40:32.904Z

Reserved: 2026-05-21T07:43:54.846Z

Link: CVE-2026-9158

cve-icon Vulnrichment

Updated: 2026-06-18T14:33:38.193Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:16Z

Weaknesses