Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Wed, 27 May 2026 14:24:40 +0000 68a24fa4-10c5-4d98-adb6-7d3a9fb7967f https://vulnerability.circl.lu/sighting/68a24fa4-10c5-4d98-adb6-7d3a9fb7967f/export {"uuid": "68a24fa4-10c5-4d98-adb6-7d3a9fb7967f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6860", "type": "seen", "source": "https://gist.github.com/alon710/125ca2c976df983809333bd3a8522eed", "content": "# CVE-2026-6860: CVE-2026-6860: Unbounded SNI Cache Growth in Eclipse Vert.x\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-09\n> **Full Report:** https://cvereports.com/reports/CVE-2026-6860\n\n## Summary\nEclipse Vert.x suffers from an uncontrolled resource consumption vulnerability within its Server Name Indication (SNI) processing logic. When server-side SNI is enabled alongside a wildcard TLS certificate, unauthenticated remote attackers can exhaust server memory by initiating handshakes with continuous unique hostname values, ultimately resulting in a Denial of Service (DoS).\n\n## TL;DR\nA flaw in the SNI caching mechanism of Eclipse Vert.x allows remote attackers to trigger out-of-memory (OOM) conditions. By sending numerous TLS ClientHello messages with uniquely generated hostnames matching a wildcard certificate, an attacker bypasses cache hits and forces the unbounded allocation of `SslContext` objects in JVM memory.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 6.9 (Medium)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **Impact**: Denial of Service (OOM)\n- **Exploit Status**: Proof of Concept\n- **EPSS Percentile**: 6.48%\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Eclipse Vert.x Applications\n- Java Virtual Machine (JVM) instances running Vert.x TLS\n- Microservices utilizing io.vertx:vertx-core for SNI termination\n- **io.vertx:vertx-core**: >= 4.3.4, <= 4.3.8 (Fixed in: `4.3.9`)\n- **io.vertx:vertx-core**: >= 4.4.0, <= 4.4.9 (Fixed in: `4.4.10`)\n- **io.vertx:vertx-core**: >= 4.5.0, <= 4.5.26 (Fixed in: `4.5.27`)\n- **io.vertx:vertx-core**: >= 5.0.0, <= 5.0.11 (Fixed in: `5.0.12`)\n\n## Mitigation\n\n- Upgrade the io.vertx:vertx-core library to a patched version.\n- Disable server-side SNI via configuration if not strictly required.\n- Offload TLS termination to a network edge component (e.g., Nginx, HAProxy, AWS ALB).\n- Avoid the use of wildcard certificates where strict domain matching is possible.\n- Implement rate limiting for new TLS handshake connections per source IP address.\n\n**Remediation Steps:**\n1. Identify all projects and microservices depending on io.vertx:vertx-core.\n2. Update dependency management files (pom.xml for Maven, build.gradle for Gradle) to specify the appropriate patched version.\n3. Recompile and execute integration test suites to verify compatibility with the new minor release.\n4. Deploy the updated application artifact to the staging environment and monitor heap usage.\n5. Promote the patched application to the production environment.\n\n## References\n\n- [NVD Vulnerability Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-6860)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-6860)\n- [GitHub Security Advisory GHSA-3g76-f9xq-8vp6](https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6)\n- [Eclipse Vert.x Pull Request #6102](https://github.com/eclipse-vertx/vert.x/pull/6102)\n- [GitLab Security Issue #381](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-6860) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-09T05:10:28.000000Z"} {"uuid": "68a24fa4-10c5-4d98-adb6-7d3a9fb7967f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6860", "type": "seen", "source": "https://gist.github.com/alon710/125ca2c976df983809333bd3a8522eed", "content": "# CVE-2026-6860: CVE-2026-6860: Unbounded SNI Cache Growth in Eclipse Vert.x\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-09\n> **Full Report:** https://cvereports.com/reports/CVE-2026-6860\n\n## Summary\nEclipse Vert.x suffers from an uncontrolled resource consumption vulnerability within its Server Name Indication (SNI) processing logic. When server-side SNI is enabled alongside a wildcard TLS certificate, unauthenticated remote attackers can exhaust server memory by initiating handshakes with continuous unique hostname values, ultimately resulting in a Denial of Service (DoS).\n\n## TL;DR\nA flaw in the SNI caching mechanism of Eclipse Vert.x allows remote attackers to trigger out-of-memory (OOM) conditions. By sending numerous TLS ClientHello messages with uniquely generated hostnames matching a wildcard certificate, an attacker bypasses cache hits and forces the unbounded allocation of `SslContext` objects in JVM memory.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 6.9 (Medium)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **Impact**: Denial of Service (OOM)\n- **Exploit Status**: Proof of Concept\n- **EPSS Percentile**: 6.48%\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Eclipse Vert.x Applications\n- Java Virtual Machine (JVM) instances running Vert.x TLS\n- Microservices utilizing io.vertx:vertx-core for SNI termination\n- **io.vertx:vertx-core**: >= 4.3.4, <= 4.3.8 (Fixed in: `4.3.9`)\n- **io.vertx:vertx-core**: >= 4.4.0, <= 4.4.9 (Fixed in: `4.4.10`)\n- **io.vertx:vertx-core**: >= 4.5.0, <= 4.5.26 (Fixed in: `4.5.27`)\n- **io.vertx:vertx-core**: >= 5.0.0, <= 5.0.11 (Fixed in: `5.0.12`)\n\n## Mitigation\n\n- Upgrade the io.vertx:vertx-core library to a patched version.\n- Disable server-side SNI via configuration if not strictly required.\n- Offload TLS termination to a network edge component (e.g., Nginx, HAProxy, AWS ALB).\n- Avoid the use of wildcard certificates where strict domain matching is possible.\n- Implement rate limiting for new TLS handshake connections per source IP address.\n\n**Remediation Steps:**\n1. Identify all projects and microservices depending on io.vertx:vertx-core.\n2. Update dependency management files (pom.xml for Maven, build.gradle for Gradle) to specify the appropriate patched version.\n3. Recompile and execute integration test suites to verify compatibility with the new minor release.\n4. Deploy the updated application artifact to the staging environment and monitor heap usage.\n5. Promote the patched application to the production environment.\n\n## References\n\n- [NVD Vulnerability Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-6860)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-6860)\n- [GitHub Security Advisory GHSA-3g76-f9xq-8vp6](https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6)\n- [Eclipse Vert.x Pull Request #6102](https://github.com/eclipse-vertx/vert.x/pull/6102)\n- [GitLab Security Issue #381](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-6860) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-09T05:10:28.000000Z"} https://vulnerability.circl.lu/sighting/68a24fa4-10c5-4d98-adb6-7d3a9fb7967f/export Sat, 09 May 2026 05:10:28 +0000