CVE-2026-8484

Vulnerability

A heap buffer overflow vulnerability exists in the Jansi JNI ioctl() wrapper due to a lack of size verification for the argument array before the system call. This flaw can lead to heap corruption and application crashes (denial of service). All versions of Jansi through 2.4.3 are believed to be vulnerable. The project is unmaintained at the time of CVE assignment [1][2].

Exploitation

An attacker who can control the arguments passed to the ioctl() wrapper—for example, by supplying a crafted input to an application that uses the Jansi library—can trigger the overflow. No authentication is required if the application exposes this functionality. The attacker provides an oversized argument array, causing the JNI wrapper to write beyond the allocated heap buffer, corrupting adjacent memory.

Impact

Successful exploitation results in heap corruption, leading to application crashes (denial of service). The impact is limited to availability; no code execution or privilege escalation has been demonstrated in the available references. The crash occurs at the privilege level of the affected application.

Mitigation

No official patch is available because the Jansi project is unmaintained. The recommended mitigation is to migrate to the successor library org.jline:jansi as indicated in the project repository [1]. There is no known workaround for the vulnerable library itself. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.