CVE-2026-6918

>= 0.21.0 and < 0.59.0

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP

7.5HIGH

CVE-2025-4447

>= 0.8.0 and <= 0.51.0

In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a

7.8HIGH

CVE-2024-10917

>= 0.8.0 and < 0.48.0

In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around.

3.7LOW

CVE-2024-3933

>= 0.13.0 and < 0.44.0

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the seq

5.3MEDIUM

CVE-2023-5676

< 0.41.0

In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if

4.1MEDIUM

CVE-2023-2597

< 0.38.0

In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds)

7.0HIGH

CVE-2022-3676

< 0.35.0

In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could mak

6.5MEDIUM

CVE-2021-41041

< 0.32.0

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verifi

5.3MEDIUM

CVE-2021-41035

< 0.29.0

In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible inte

9.8CRITICAL

CVE-2021-28167

<= 0.25.0

In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolv

6.5MEDIUM

CVE-2020-27221

<= 0.23.0

In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine

9.8CRITICAL

CVE-2019-17639

<= 0.20.0

In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the leng

5.3MEDIUM

CVE-2019-17631

>= 0.15.0 and <= 0.16.0

From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted

9.1CRITICAL

CVE-2019-11775

< 0.15.0

All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out

7.4HIGH

CVE-2019-11772

< 0.15.0

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is

9.8CRITICAL

CVE-2019-11771

< 0.15.0

AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by lo

7.8HIGH

CVE-2019-10245

< 0.14.0

In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of b

7.5HIGH

CVE-2018-12549

all versions

In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe ca

9.8CRITICAL

CVE-2018-12547

< 0.12.0

In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter

9.8CRITICAL

CVE-2018-12548

all versions

In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static nat

9.8CRITICAL

CVE-2018-12539

all versions

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse Open

7.8HIGH