Every CVE whose affected-product data names Eclipse Openj9, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2018-12549 — CVSS 9.8 (critical): In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when…
CVE-2019-11772 — CVSS 9.8 (critical): In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null…
CVE-2018-12548 — CVSS 9.8 (critical): In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives…
CVE-2020-27221 — CVSS 9.8 (critical): In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI…
CVE-2021-41035 — CVSS 9.8 (critical): In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface…
CVE-2018-12547 — CVSS 9.8 (critical): In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This…
CVE-2019-17631 — CVSS 9.1 (critical): From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without…
CVE-2018-12539 — CVSS 7.8 (high): In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM…
CVE-2019-11771 — CVSS 7.8 (high): AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2025-4447 — CVSS 7.8 (high): In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on…
CVE-2026-6918 — CVSS 7.5 (high): In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.
CVE-2019-10245 — CVSS 7.5 (high): In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode…
CVE-2019-11775 — CVSS 7.4 (high): All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the…
CVE-2023-2597 — CVSS 7.0 (high): In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size…
CVE-2022-3676 — CVSS 6.5 (medium): In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of…
CVE-2021-28167 — CVSS 6.5 (medium): In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain…
CVE-2019-17639 — CVSS 5.3 (medium): In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the…
CVE-2021-41041 — CVSS 5.3 (medium): In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is…
CVE-2024-3933 — CVSS 5.3 (medium): In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence…
CVE-2023-5676 — CVSS 4.1 (medium): In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a…
CVE-2024-10917 — CVSS 3.7 (low): In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From…