CVE-2026-6918
Published: 05 May 2026
Description
In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.
Security SummaryAI
CVE-2026-6918 is a denial-of-service vulnerability (CWE-125: Out-of-bounds Read) affecting Eclipse Openj9 versions 0.21 through 0.58. It enables a pre-authentication remote attacker to crash the JITServer component by sending a specifically crafted 32-byte TCP message. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its network accessibility, low attack complexity, lack of privileges or user interaction required, and significant availability impact.
An unauthenticated attacker with network access to a vulnerable JITServer instance can exploit this issue remotely and pre-authentication. By transmitting the 32-byte crafted TCP message, the attacker triggers a crash of the JITServer, resulting in denial of service without impacting confidentiality or integrity.
Mitigation details and patches are documented in the Eclipse Openj9 security advisory at https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r and pull request https://github.com/eclipse-openj9/openj9/pull/23793. Security practitioners should review these resources for upgrading to patched versions beyond 0.58.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes remote pre-auth exploitation of an out-of-bounds read in JITServer that directly crashes the service, matching T1499.004 (Endpoint DoS via Application or System Exploitation).