Openj9

This hub aggregates every CVE we track for Openj9, a product in the devtools ci space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Openj9.

• CVE-2026-6918In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.7.5May 5, 2026
• CVE-2025-4447Buffer Overflow in Eclipse OpenJ97.8May 9, 2025
• CVE-2024-10917Eclipse OpenJ9 might return an incorrect value in JNI function GetStringUTFLength3.7Nov 11, 2024
• CVE-2024-3933Eclipse Open J9 With -Xgc:concurrentScavenge on IBM Z, could write/read outside of a buffer5.3May 27, 2024
• CVE-2023-5676Eclipse OpenJ9 possible infinite busy hang4.1Nov 15, 2023
• CVE-2023-2597In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of th...7.0May 22, 2023
• CVE-2022-3676In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatib...6.5Oct 24, 2022
• CVE-2021-41041In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverifi...5.3Apr 27, 2022
• CVE-2021-41035In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.9.8Oct 25, 2021
• CVE-2021-28167In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static ...6.5Apr 21, 2021
• CVE-2020-27221In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform enc...9.8Jan 21, 2021
• CVE-2019-17639In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially cra...5.3Jul 15, 2020
• CVE-2019-17631From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks.9.1Oct 17, 2019
• CVE-2019-11775All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition th...7.4Jul 30, 2019
• CVE-2019-11772In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by...9.8Jul 17, 2019