CVE-2010-0843
Description
Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to XNewPtr and improper handling of an integer parameter when allocating heap memory in the com.sun.media.sound libraries, which allows remote attackers to execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unspecified vulnerability in Oracle Java Sound component leads to remote code execution via integer overflow in com.sun.media.sound.
Vulnerability
Unspecified vulnerability in the Sound component of Oracle Java SE and Java for Business versions 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27. According to a reliable researcher, the flaw is related to XNewPtr and improper handling of an integer parameter when allocating heap memory in the com.sun.media.sound libraries [description]. This allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack vector is network-based, likely via a crafted Java applet or application that triggers the integer handling issue in the sound libraries. The exact steps are not publicly detailed, but exploitation requires user interaction (e.g., visiting a malicious website) to load the vulnerable code.
Impact
Successful exploitation can lead to arbitrary code execution with the privileges of the user running the Java application. This compromises confidentiality, integrity, and availability of the affected system. The vulnerability has a CVSS base score of 10.0 indicating critical severity.
Mitigation
Oracle released fixes in the March 2010 Critical Patch Update (CPU). Users should apply the appropriate patch for their Java version. For unsupported versions (e.g., 1.3.1), upgrade to a supported release. Third-party products (e.g., VMware, HP-UX, Apple Mac OS X) have released advisories including updates that address this CVE [1][2][3][4].
- Support Content Notification - Support Portal - Broadcom support portal
- '[security bulletin] HPSBMU02799 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.0x Running JD'
- '[security bulletin] HPSBUX02524 SSRT100089 rev.1 - HP-UX Running Java, Remote Execution of Arbitrary'
- About the security content of Java for Mac OS X 10.5 Update 7 - Apple Support
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.3.1_27:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:sun:jre:1.3.1_27:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.4.2_25:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.5.0:update23:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*
cpe:2.3:a:sun:sdk:1.3.1_27:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sun:sdk:1.3.1_27:*:*:*:*:*:*:*
- cpe:2.3:a:sun:sdk:1.4.2_25:*:*:*:*:*:*:*
- Range: 6 Update 18, 5.0 Update 23, 1.4.2_25, 1.3.1_27
- Range: 6 Update 18, 5.0 Update 23, 1.4.2_25, 1.3.1_27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
34- secunia.com/advisories/39317nvdVendor Advisory
- secunia.com/advisories/39659nvdVendor Advisory
- secunia.com/advisories/39819nvdVendor Advisory
- secunia.com/advisories/40211nvdVendor Advisory
- secunia.com/advisories/40545nvdVendor Advisory
- secunia.com/advisories/43308nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1191nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1454nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1523nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1793nvdVendor Advisory
- itrc.hp.com/service/cki/docDisplay.donvd
- lists.apple.com/archives/security-announce/2010//May/msg00001.htmlnvd
- lists.apple.com/archives/security-announce/2010//May/msg00002.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlnvd
- marc.infonvd
- marc.infonvd
- osvdb.org/63492nvd
- seclists.org/bugtraq/2010/Apr/41nvd
- support.apple.com/kb/HT4170nvd
- support.apple.com/kb/HT4171nvd
- www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlnvd
- www.oracle.com/technetwork/topics/security/javacpumar2010-083341.htmlnvd
- www.redhat.com/support/errata/RHSA-2010-0337.htmlnvd
- www.redhat.com/support/errata/RHSA-2010-0338.htmlnvd
- www.redhat.com/support/errata/RHSA-2010-0383.htmlnvd
- www.redhat.com/support/errata/RHSA-2010-0471.htmlnvd
- www.redhat.com/support/errata/RHSA-2010-0489.htmlnvd
- www.securityfocus.com/archive/1/516397/100/0/threadednvd
- www.securityfocus.com/bid/39083nvd
- www.vmware.com/security/advisories/VMSA-2011-0003.htmlnvd
- www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlnvd
- www.zerodayinitiative.com/advisories/ZDI-10-052/nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14092nvd
News mentions
0No linked articles in our index yet.