High severity7.5NVD Advisory· Published May 5, 2026· Updated May 5, 2026

CVE-2026-6918

Description

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

Affected products

Eclipse/Openj9
cpe:2.3:a:eclipse:openj9:*:*:*:*:*:*:*:*
Range: >=0.21.0,<0.59.0
Eclipse Openj9/Openj9references

Patches

774e440bb6b9

Merge pull request #23793 from mpirvu/jitserver-overrun-fix

https://github.com/eclipse-openj9/openj9Irwin D'SouzaApr 21, 2026via nvd-ref

commit PR #23793

2 files changed · +15 −10

runtime/compiler/net/MessageBuffer.cpp+14 −4 modified

@@ -20,11 +20,12 @@
  * SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
  *******************************************************************************/
 
-#include "net/MessageBuffer.hpp"
-#include "infra/CriticalSection.hpp"
-#include "env/VerboseLog.hpp"
-#include "control/Options.hpp"
 #include <cstring>
+#include "control/Options.hpp"
+#include "env/VerboseLog.hpp"
+#include "infra/CriticalSection.hpp"
+#include "net/MessageBuffer.hpp"
+#include "net/StreamExceptions.hpp"
 
 namespace JITServer {
 
@@ -108,6 +109,15 @@ uint32_t MessageBuffer::writeData(const void *dataStart, uint32_t dataSize, uint
     return offset(data);
 }
 
+uint32_t MessageBuffer::readData(uint32_t dataSize)
+{
+    if (_curPtr + dataSize > _storage + _capacity)
+        throw JITServer::StreamFailure("readData exceeds buffer bounds");
+    char *data = _curPtr;
+    _curPtr += dataSize; // Advance cursor
+    return offset(data); // Return offset before the advance
+}
+
 uint8_t MessageBuffer::alignCurrentPositionOn64Bit()
 {
     // Compute the amount of padding required to align _curPtr on 64-bit boundary

runtime/compiler/net/MessageBuffer.hpp+1 −6 modified

@@ -151,12 +151,7 @@ class MessageBuffer {
 
        @return offset to the beginning of data
     */
-    uint32_t readData(uint32_t dataSize)
-    {
-        char *data = _curPtr;
-        _curPtr += dataSize; // Advance cursor
-        return offset(data); // Return offset before the advance
-    }
+    uint32_t readData(uint32_t dataSize);
 
     void clear() { _curPtr = _storage; }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/eclipse-openj9/openj9/pull/23793nvdIssue TrackingPatch
github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969rnvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000