Cyber Resilience

CVE-2026-6918

HighPublic PoCUpdated

Published: 05 May 2026

Published
05 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6918 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Eclipse Openj9. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6918 is a denial-of-service vulnerability (CWE-125: Out-of-bounds Read) affecting Eclipse Openj9 versions 0.21 through 0.58. It enables a pre-authentication remote attacker to crash the JITServer component by sending a specifically crafted 32-byte TCP message. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its network accessibility, low attack complexity, lack of privileges or user interaction required, and significant availability impact.

An unauthenticated attacker with network access to a vulnerable JITServer instance can exploit this issue remotely and pre-authentication. By transmitting the 32-byte crafted TCP message, the attacker triggers a crash of the JITServer, resulting in denial of service without impacting confidentiality or integrity.

Mitigation details and patches are documented in the Eclipse Openj9 security advisory at https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r and pull request https://github.com/eclipse-openj9/openj9/pull/23793. Security practitioners should review these resources for upgrading to patched versions beyond 0.58.

EU & UK References

Vulnerability details

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE describes remote pre-auth exploitation of an out-of-bounds read in JITServer that directly crashes the service, matching T1499.004 (Endpoint DoS via Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55100Same vendor: Eclipse
CVE-2025-55102Same vendor: Eclipse
CVE-2025-0727Same vendor: Eclipse
CVE-2025-0726Same vendor: Eclipse
CVE-2026-33096Shared CWE-125
CVE-2026-22023Shared CWE-125
CVE-2026-23456Shared CWE-125
CVE-2026-0648Same vendor: Eclipse
CVE-2025-21598Shared CWE-125
CVE-2026-25627Shared CWE-125

Affected Assets

eclipse
openj9
0.21.0 — 0.59.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the out-of-bounds read vulnerability by applying patches to Eclipse Openj9 JITServer beyond version 0.58, preventing crashes from crafted TCP messages.

prevent

Information input validation checks the validity of the 32-byte TCP messages sent to JITServer, preventing out-of-bounds reads that cause denial-of-service crashes.

prevent

Denial-of-service protection at network entry points blocks or mitigates pre-authentication remote attacks exploiting the JITServer vulnerability with crafted TCP traffic.

References