Cyber Resilience

CVE-2012-0507

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 07 June 2012

Published
07 June 2012
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9357 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0507 is a critical-severity Type Confusion (CWE-843) vulnerability in Sun Jre. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an unspecified issue in the Java Runtime Environment component of Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier. It stems from the AtomicReferenceArray class implementation failing to ensure arrays are of the Object[] type, which can lead to a JVM crash or sandbox bypass, and is tracked under concurrency-related vectors with associated CWEs including CWE-843.

Remote attackers can exploit the flaw without authentication to impact confidentiality, integrity, and availability. Successful attacks enable denial of service through JVM crashes or circumvention of Java sandbox restrictions to execute arbitrary code or access restricted resources.

References describe the issue appearing in exploit packs and detail a sandbox breach case, indicating active use in the wild shortly after disclosure. No specific patch or mitigation details are provided in the available references beyond general security announcements from vendors such as OpenSUSE.

EU & UK References

Vulnerability details

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown…

more

vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sun
jre
1.5.0, 1.6.0
oracle
jre
1.6.0, 1.7.0
debian
debian linux
6.0, 7.0
suse
linux enterprise desktop
10
suse
linux enterprise java
10, 11
suse
linux enterprise server
10, 11
suse
linux enterprise software development kit
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts and controls execution of mobile code (Java applets) that rely on the JRE sandbox the vulnerability bypasses.

prevent

Requires prompt application of vendor patches that remediate the AtomicReferenceArray flaw in supported JRE versions.

preventdetect

Deploys malicious-code detection and blocking mechanisms that can identify or stop exploit payloads targeting this sandbox bypass.

References